Community
    • Categories
    • Recent
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security issue: any php code execution

    Scheduled Pinned Locked Moved Development
    4 Posts 2 Posters 3.0k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jannav
      last edited by

      Dear I-Doit,

      it is possible to import (upload) php file and then execute it using URL: http://yourserver/imports/evil.php

      Modul: Import
      tested on versions: 0.9.9-1 and 0.9.9-5
      Requirements: active account with import rights is required to complete such attack

      my guess is that creating .htaccess file with "php_flag engine off" inside imports directory could solve the problem temporarry.

      1 Reply Last reply Reply Quote 0
      • creissC Offline
        creiss i-doit Kenner
        last edited by

        Hi jannav,

        thank you for this hint.

        Actually, you need full rights to get to this point, so that it is not a real security issue.

        At least we have noticed it and have to discuss if we prohibit that in the future.

        Kind regards
        Christian

        NEU - i-doit und IT-Dokumentation bei YouTube: https://www.youtube.com/@donamic_de
        Komplett-Strategie: https://i-doit-trainings.de/it-dokumentation-komplett-strategie/
        i-doit Mastery – https://i-doit-trainings.de/i-doit-mastery

        1 Reply Last reply Reply Quote 0
        • J Offline
          jannav
          last edited by

          Hi Christian,

          thats correct. Just enough is to create new Mandant and forget to change default passwords for default users.

          1 Reply Last reply Reply Quote 0
          • creissC Offline
            creiss i-doit Kenner
            last edited by

            Hi jannav,

            thats correct, too.

            But it would be a mistake of the administrator and should not happen.. 😉

            As I just said, we will discuss about prohibiting it in future.

            Kind Regards,
            Christian

            NEU - i-doit und IT-Dokumentation bei YouTube: https://www.youtube.com/@donamic_de
            Komplett-Strategie: https://i-doit-trainings.de/it-dokumentation-komplett-strategie/
            i-doit Mastery – https://i-doit-trainings.de/i-doit-mastery

            1 Reply Last reply Reply Quote 0

            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

            With your input, this post could be even better 💗

            Register Login
            • First post
              Last post