Ticket #1868 (closed New Feature: fixed)
File browser may be blocked because of possible "Path traversal" attack
| Reported by: | wwalc | Owned by: | alfonsoml |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | File Browser | Version: | |
| Keywords: | Confirmed Review+ | Cc: |
Description
In Apache, mod_security is usually installed ( http://www.modsecurity.org/) - it is commonly used to detect and prevent against possible attacks. Quick example from official mod_security site ( http://www.modsecurity.org/documentation/quick-examples.html):
# Prevent path traversal (..) attacks
SecFilter "\.\./"
Similar rule is available in a "Apache 2.x rules" at http://www.gotroot.com/:
##generic recursion signatures SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" SecRule REQUEST_URI "\.\./\.\./" #generic path recurision si
The problem is that ../.. is used by FCKeditor:
http://www.fckeditor.net/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php
so it may be blocked in rare cases.
We should avoid passing ".." in urls.
Attachments
-
1868.patch
(2.1 KB) -
added by alfonsoml 4 years ago.
- Proposed SVN patch
Change History
comment:2 Changed 4 years ago by alfonsoml
- Keywords Review? added
- Owner set to alfonsoml
- Status changed from new to assigned
Could you verify if this patch does fix the issue?
comment:3 Changed 4 years ago by wwalc
- Keywords Review+ added; Review? removed
Ok, FCKeditor passes the "\.\." checks now.
Note: See
TracTickets for help on using
tickets.
