Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure file upload - Code execution #370

Open
emaragkos opened this issue Jun 20, 2023 · 3 comments
Open

Insecure file upload - Code execution #370

emaragkos opened this issue Jun 20, 2023 · 3 comments

Comments

@emaragkos
Copy link

emaragkos commented Jun 20, 2023

The web application does not allow file uploads with dangerous extensions such as .php

image

webasyst-framework-master\wa-system\controller\waUploadJsonController.class.php

image

The above filtering is insufficient since it is possible to upload files with extensions that will be executed such as .phar

image

image

image

Tested on version: 2.7.2.732

@Leonix
Copy link
Contributor

Leonix commented Jun 21, 2023

Thank you very much for your report.

Please explain which server environment are you running? .phar should not be executable by web server. It is not executable by default in Apache configurations that I know of.

Is this a default configuration for some common server setup? Are there other executable extensions besides .phar in this setup?

Anyway, it is probably a good idea to deny .phar uploading via web file manager. And possibly even to disable PHP execution inside wa-data/public/site directory. Thank you again for your vigilance :)

@emaragkos
Copy link
Author

Its a LAMP environment that uses a default Vesta Panel deployment and the installation of webasyst was automated through Softaculous. I assume it is something default with this setup because I haven't made any modifications to allow such extensions to be executed. Either way as you already mentioned, I absolutely agree, nothing should be executed from wa-data/public/site and .phar extensions shouldn't be allowed either.

@symbioticphp
Copy link

Вообще сделайте белый список, так будет проще, а кому надо будут включать в него нужные им расширения в конфиге.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants