Security issue: any php code execution

  • Dear I-Doit,

    it is possible to import (upload) php file and then execute it using URL: http://yourserver/imports/evil.php

    Modul: Import
    tested on versions: 0.9.9-1 and 0.9.9-5
    Requirements: active account with import rights is required to complete such attack

    my guess is that creating .htaccess file with "php_flag engine off" inside imports directory could solve the problem temporarry.

  • i-doit Kenner

    Hi jannav,

    thank you for this hint.

    Actually, you need full rights to get to this point, so that it is not a real security issue.

    At least we have noticed it and have to discuss if we prohibit that in the future.

    Kind regards

  • Hi Christian,

    thats correct. Just enough is to create new Mandant and forget to change default passwords for default users.

  • i-doit Kenner

    Hi jannav,

    thats correct, too.

    But it would be a mistake of the administrator and should not happen.. 😉

    As I just said, we will discuss about prohibiting it in future.

    Kind Regards,

Log in to reply

Datenschutz / Privacy Policy