Security issue: any php code execution
it is possible to import (upload) php file and then execute it using URL: http://yourserver/imports/evil.php
tested on versions: 0.9.9-1 and 0.9.9-5
Requirements: active account with import rights is required to complete such attack
my guess is that creating .htaccess file with "php_flag engine off" inside imports directory could solve the problem temporarry.
thank you for this hint.
Actually, you need full rights to get to this point, so that it is not a real security issue.
At least we have noticed it and have to discuss if we prohibit that in the future.
thats correct. Just enough is to create new Mandant and forget to change default passwords for default users.
thats correct, too.
But it would be a mistake of the administrator and should not happen..
As I just said, we will discuss about prohibiting it in future.