#1868 closed New Feature (fixed)
File browser may be blocked because of possible "Path traversal" attack
| Reported by: | Wiktor Walc | Owned by: | Alfonso Martínez de Lizarrondo |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | File Browser | Version: | |
| Keywords: | Confirmed Review+ | Cc: |
Description
In Apache, mod_security is usually installed (http://www.modsecurity.org/) - it is commonly used to detect and prevent against possible attacks. Quick example from official mod_security site (http://www.modsecurity.org/documentation/quick-examples.html):
# Prevent path traversal (..) attacks
SecFilter "\.\./"
Similar rule is available in a "Apache 2.x rules" at http://www.gotroot.com/:
##generic recursion signatures SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" SecRule REQUEST_URI "\.\./\.\./" #generic path recurision si
The problem is that ../.. is used by FCKeditor:
http://www.fckeditor.net/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/php/connector.php
so it may be blocked in rare cases.
We should avoid passing ".." in urls.
Attachments (1)
Change History (6)
comment:1 Changed 16 years ago by
| Keywords: | Confirmed added |
|---|
Changed 16 years ago by
| Attachment: | 1868.patch added |
|---|
comment:2 Changed 16 years ago by
| Keywords: | Review? added |
|---|---|
| Owner: | set to Alfonso Martínez de Lizarrondo |
| Status: | new → assigned |
Could you verify if this patch does fix the issue?
comment:3 Changed 16 years ago by
| Keywords: | Review+ added; Review? removed |
|---|
Ok, FCKeditor passes the "\.\." checks now.
Note: See
TracTickets for help on using
tickets.
Proposed SVN patch