Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure demo file disclosure #3260

Closed
Xyntax opened this issue Dec 4, 2016 · 6 comments
Closed

Insecure demo file disclosure #3260

Xyntax opened this issue Dec 4, 2016 · 6 comments
Labels
Blocker Bug
Milestone
1.4.4

Comments

@Xyntax
Copy link

Xyntax commented Dec 4, 2016

Unauthorized file manipulation - /vendor/vakata/jstree/demo/filebrowser/index.php

http://zikula.org/vendor/vakata/jstree/demo/filebrowser/

Possible unauthorized SSRF - /javascript/js-webshim/dev/shims/FlashCanvasPro/proxy.php

if (extension_loaded('curl')) {
    // Use cURL extension
    $ch = curl_init($url);
//  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
//  curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
    curl_exec($ch);
    curl_close($ch);
} else {
    // Use the http:// wrapper
    readfile($url);
}

Please make a review.
@Guite Guite added this to the 1.4.4 milestone Dec 4, 2016
@Guite
Copy link
Member

Guite commented Dec 4, 2016

Maybe we should report that at the vendor projects so they can provide a central fix?

@Xyntax
Copy link
Author

Xyntax commented Dec 4, 2016

Yes we can report that, but I'm afraid not all vendors cares about it.
Maybe we should make a simple review ourselves.

@Guite
Copy link
Member

Guite commented Dec 4, 2016

We could possibly block access to these files using the .htaccess file in the root folder.

@Guite
Copy link
Member

Guite commented Dec 4, 2016

javascript/js-webshim/dev/shims/FlashCanvasPro/proxy.php is already blocked by javascript/.htaccess.

Guite added a commit that referenced this issue Dec 4, 2016
@Guite
fixed #3260
f784697
@Guite Guite mentioned this issue Dec 4, 2016
Merged
@Guite
Copy link
Member

Guite commented Dec 4, 2016

Added a fix for the first one in #3261

@Guite Guite closed this as completed in 80c0a8d Dec 4, 2016
@Guite Guite mentioned this issue Dec 4, 2016
Closed
@Guite
Copy link
Member

Guite commented Dec 4, 2016

Reported to vendor here: vakata/jstree#1651

@Guite Guite mentioned this issue Dec 4, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Blocker Bug
Projects
None yet
Milestone
1.4.4
Development

No branches or pull requests
2 participants
@Guite @Xyntax