Opened 17 years ago
Closed 17 years ago
#1257 closed Bug (wontfix)
Security problem: file extension blacklist in upload connectors allows uploading executable scripts
Reported by: | Allb Bezroutchko | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | General | Version: | |
Keywords: | Cc: |
Description
The upload connectors have a black list for File type uploads. For example, for ColdFusion connector the file editor/filemanager/upload/cfm/config.cfm contains the following:
config.allowedExtensions["File"] = ""; config.deniedExtensions["File"] = "html,htm,php,php2,php3,php4,php5,phtml,pwml,inc,asp,aspx,ascx,jsp,cfm,cfc,pl,bat,exe,com,dll,vbs,js,reg,cgi,htaccess,asis,sh,shtml,shtm,phtm";
ColdFusion 8 running on Microsoft IIS executes files with the following extensions: .cfc, .cfm, .cfml, .cfr, .cfswf, .jsp, .jws
.cfml, .cfr, .cfswf, .jsp, .jws are not in the black list, so it is possible to upload files with those extensions and the server will execute them. This leads to arbitrary code execution.
I believe that this problem is not limited to ColdFusion connector. Rather it is a problem with the black list approach. It is nearly impossible to maintain an exhaustive black list that includes every extension that some server somewhere will execute.
I would suggest commenting out File type in upload and browser connectors (for all connectors, not just ColdFusion) and adding a comment saying that the user can uncomment this at his own risk and has to carefully check which types of files his server executes and write his own black list.
We'll be moving to the white list approach. Check out #1325.