Insecure file upload - Code execution
emaragkos opened this issue · 3 comments
The web application does not allow file uploads with dangerous extensions such as .php
webasyst-framework-master\wa-system\controller\waUploadJsonController.class.php
The above filtering is insufficient since it is possible to upload files with extensions that will be executed such as .phar
Tested on version: 2.7.2.732
Thank you very much for your report.
Please explain which server environment are you running? .phar should not be executable by web server. It is not executable by default in Apache configurations that I know of.
Is this a default configuration for some common server setup? Are there other executable extensions besides .phar in this setup?
Anyway, it is probably a good idea to deny .phar uploading via web file manager. And possibly even to disable PHP execution inside wa-data/public/site directory. Thank you again for your vigilance :)
Its a LAMP environment that uses a default Vesta Panel deployment and the installation of webasyst was automated through Softaculous. I assume it is something default with this setup because I haven't made any modifications to allow such extensions to be executed. Either way as you already mentioned, I absolutely agree, nothing should be executed from wa-data/public/site and .phar extensions shouldn't be allowed either.
Вообще сделайте белый список, так будет проще, а кому надо будут включать в него нужные им расширения в конфиге.