Hello all,
I would like to know if the following issues are already solved with the latest releases, as the Release Notes are less than clear about which security issues were solved where:
https://github.com/beerpwn/CVE/blob/mas ... _to_RCE.md
and
https://github.com/beerpwn/CVE/blob/mas ... -report.md
Also, if this is the bad place for this kind of questions, please let me know how / where to contact.
Best regards,
greenbonexx
Security vulnerabilities question
-
greenbonexx
- New Member
- Posts: 1
- Joined: Tue May 16, 2023 7:24 am
Re: Security vulnerabilities question
Exploits that require admin credentials generally aren't prioritized. For a more detailed explanation please see https://www.cmsmadesimple.org/community ... nerability
Not getting the answer you need? CMSMS support options
Re: Security vulnerabilities question
In FileManager/action.upload.php there is a protection for PHP files 
why not for PHAR files ?
into the function protected function is_file_acceptable( $file ) ... if( !$config['developer_mode'] )
why not for PHAR files ?
into the function protected function is_file_acceptable( $file ) ... if( !$config['developer_mode'] )
Jean-Claude Etiemble
Re: Security vulnerabilities question
Calguy regretted putting that one in, as he got that question all the time. In a future version we may extend that functionality so a developer can set a list of denied file types, but it's not a priority. Exploits can be in svg and other files too, so I don't think it's best for us to decide what files a developer allows their admins to upload.
Not getting the answer you need? CMSMS support options
