Community
    • Categories
    • Recent
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security issue: any php code execution

    Scheduled Pinned Locked Moved Development
    4 Posts 2 Posters 2.8k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jannav
      last edited by

      Dear I-Doit,

      it is possible to import (upload) php file and then execute it using URL: http://yourserver/imports/evil.php

      Modul: Import
      tested on versions: 0.9.9-1 and 0.9.9-5
      Requirements: active account with import rights is required to complete such attack

      my guess is that creating .htaccess file with "php_flag engine off" inside imports directory could solve the problem temporarry.

      1 Reply Last reply Reply Quote 0
      • creissC Offline
        creiss i-doit Kenner
        last edited by

        Hi jannav,

        thank you for this hint.

        Actually, you need full rights to get to this point, so that it is not a real security issue.

        At least we have noticed it and have to discuss if we prohibit that in the future.

        Kind regards
        Christian

        NEU - i-doit und IT-Dokumentation bei YouTube: https://www.youtube.com/@donamic_de
        Komplett-Strategie: https://i-doit-trainings.de/it-dokumentation-komplett-strategie/
        i-doit Mastery – https://i-doit-trainings.de/i-doit-mastery

        1 Reply Last reply Reply Quote 0
        • J Offline
          jannav
          last edited by

          Hi Christian,

          thats correct. Just enough is to create new Mandant and forget to change default passwords for default users.

          1 Reply Last reply Reply Quote 0
          • creissC Offline
            creiss i-doit Kenner
            last edited by

            Hi jannav,

            thats correct, too.

            But it would be a mistake of the administrator and should not happen.. 😉

            As I just said, we will discuss about prohibiting it in future.

            Kind Regards,
            Christian

            NEU - i-doit und IT-Dokumentation bei YouTube: https://www.youtube.com/@donamic_de
            Komplett-Strategie: https://i-doit-trainings.de/it-dokumentation-komplett-strategie/
            i-doit Mastery – https://i-doit-trainings.de/i-doit-mastery

            1 Reply Last reply Reply Quote 0
            • First post
              Last post