Opened 11 years ago

Closed 11 years ago

#1257 closed Bug (wontfix)

Security problem: file extension blacklist in upload connectors allows uploading executable scripts

Reported by: Allb Bezroutchko Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

The upload connectors have a black list for File type uploads. For example, for ColdFusion connector the file editor/filemanager/upload/cfm/config.cfm contains the following:

config.allowedExtensions["File"] = "";
config.deniedExtensions["File"] = "html,htm,php,php2,php3,php4,php5,phtml,pwml,inc,asp,aspx,ascx,jsp,cfm,cfc,pl,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,shtml,shtm,phtm";

ColdFusion 8 running on Microsoft IIS executes files with the following extensions: .cfc, .cfm, .cfml, .cfr, .cfswf, .jsp, .jws

.cfml, .cfr, .cfswf, .jsp, .jws are not in the black list, so it is possible to upload files with those extensions and the server will execute them. This leads to arbitrary code execution.

I believe that this problem is not limited to ColdFusion connector. Rather it is a problem with the black list approach. It is nearly impossible to maintain an exhaustive black list that includes every extension that some server somewhere will execute.

I would suggest commenting out File type in upload and browser connectors (for all connectors, not just ColdFusion) and adding a comment saying that the user can uncomment this at his own risk and has to carefully check which types of files his server executes and write his own black list.

Change History (1)

comment:1 Changed 11 years ago by Frederico Caldeira Knabben

Resolution: wontfix
Status: newclosed

We'll be moving to the white list approach. Check out #1325.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy