Security Controls Question

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
ninjacatdev
New Member
New Member
Posts: 1
Joined: Sun Apr 06, 2025 6:21 am

Security Controls Question

Post by ninjacatdev »

Hi all,

I was wondering if you have any updated thoughts on admin portals, security boundaries, and authenticated vulnerabilities, specifically regarding file upload issues. For example, allowing PHAR and PHTML files while excluding PHP file extensions.
https://okankurtulus.com.tr/2023/06/26/ ... enticated/

I came across some older posts mentioning that adding controls wasn’t prioritized at the time, and I’d like to learn more about it from a developer’s perspective. I also noticed that a mitigation for PHP files was implemented in earlier versions and was wondering if there are plans to add more controls in the future. :)

Thank you for your time.
Best regards,
ninjacatdev
Top
User avatar
DIGI3
Dev Team Member
Dev Team Member
Posts: 1762
Joined: Wed Feb 25, 2009 4:25 am
Location: Victoria, BC

Re: Security Controls Question

Post by DIGI3 »

Our stance on this hasn't really changed. Given that site owners have the ability to add whatever code they like to their website, including PHP via User Defined Tags, restricting what they can upload wouldn't really improve security. At one point we restricted the uploading of PHP files but in retrospect this was likely a mistake as it brought about a lot of "but what about [every other filetype]?"

I think the only good option would be to have a configurable list of banned filetypes that site owners can add to, but this isn't high on our priority list. If a developer would like to submit this change we'd definitely consider it. The file manager and filepicker modules could also be forked should someone desire.
Not getting the answer you need? CMSMS support options
Top
Post Reply

Return to “CMSMS Core”