You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please explain which server environment are you running? .phar should not be executable by web server. It is not executable by default in Apache configurations that I know of.
Is this a default configuration for some common server setup? Are there other executable extensions besides .phar in this setup?
Anyway, it is probably a good idea to deny .phar uploading via web file manager. And possibly even to disable PHP execution inside wa-data/public/site directory. Thank you again for your vigilance :)
Its a LAMP environment that uses a default Vesta Panel deployment and the installation of webasyst was automated through Softaculous. I assume it is something default with this setup because I haven't made any modifications to allow such extensions to be executed. Either way as you already mentioned, I absolutely agree, nothing should be executed from wa-data/public/site and .phar extensions shouldn't be allowed either.
The web application does not allow file uploads with dangerous extensions such as .php
webasyst-framework-master\wa-system\controller\waUploadJsonController.class.php
The above filtering is insufficient since it is possible to upload files with extensions that will be executed such as .phar
Tested on version: 2.7.2.732
The text was updated successfully, but these errors were encountered: