[Xerte-dev] SECURITY PATCH for upload.php

Smith, John J.J.Smith at gcu.ac.uk
Thu Mar 7 13:01:55 GMT 2013


Hi,

I've just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I've added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins.

Can someone test this and advise if there are any other media types that we want/need to allow?

There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I've uncommented this now but does anyone know why it was commented out in the first place?

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University


Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/6ec0be06/attachment.html>


More information about the Xerte-dev mailing list