CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

[fixed] filemanager directory traversal

https://forum.cmsmadesimple.org/viewtopic.php?t=56404

Page 1 of 1

[fixed] filemanager directory traversal

Posted: Thu Aug 25, 2011 8:21 pm
by dwave
The filemanager allows directory traversals and therefore everybody with the permissions to modify files can upload files outside the upload-directory.

Steps to reproduce:
1. (optional) Create User with permission to modify files but without permission for the "Advanced usage of the the File Manager module".
2. Go to the filemanager, upload files
3. Manipulate the hidden field <input id="m1_path" name="m1_path"> to contain for example the path /uploads/../../
4. Upload a file

Re: filemanager directory traversal

Posted: Sun Aug 28, 2011 11:05 am
by Rolf
I can't repoduce on SVN rev. 7361

But I can't change folders in FM anymore.
Perhaps the result of fixing this issue??

Rolf

Re: filemanager directory traversal

Posted: Sun Aug 28, 2011 6:16 pm
by Rolf
Should be fixed in SVN rev. 7361
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited