Security #237
File Upload Filter Bypass in TangoCMS <=2.5.0
| Status: | Closed | Start date: | 2010-03-06 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | Alex Cartwright | % Done: | 100% |
|
| Category: | - | |||
| Target version: | 2.5.1 | |||
| PHP Version: |
Description
Issue reported by Nick Freeman of Security-Assessment.com, part of the email below which we can show:
TangoCMS includes file upload functionality to upload media items such as audio, video and images to the server hosting TangoCMS. Before a file is successfully uploaded, a number of checks are performed in order to prevent users from uploading potentially malicious files. Each upload is checked for file extension, MIME type, and the file contents are examined. The vulnerability exists where the file extension is checked. TangoCMS filters malicious file extensions using a blacklist approach..... ... Security-Assessment.com was able to upload a malicious PHP file by changing the file extension to .php3, as well setting the......Further details can't be disclosed to protect our users, however I can confirm the only users effected by this exploit are those that:
- Allow untrusted users to upload media items
- Are not blocking access to ./assets/uploads/media (provided .htaccess file does this, so if running Apache and mod_alias you are fine)
- The hosting server parses .php3 files as PHP
History
Updated by Alex Cartwright almost 2 years ago
- Status changed from Confirmed to Closed
- % Done changed from 0 to 100
Applied in changeset commit:"0974644efa8b75c1cb130a4dc708ba457121fd5a".