View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003428 | OXID eShop (all versions) | 4.04. Security | public | 2011-12-09 13:36 | 2012-01-04 14:35 |
| Reporter | marco_steinhaeuser | Assigned To | |||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.5.5 revision 40299 | ||||
| Fixed in Version | 4.5.6 revision 40808 | ||||
| Summary | 0003428: executable files can be uploaded in admin | ||||
| Description | Via admin -> picture upload, it is possible to upload executable files. | ||||
| Steps To Reproduce | 1. Go to Admin -> Administer Products -> Products. 2. Choose any product and go to tab pictures. 3. Try to upload a PHP-File (hello.php with content <? echo 'hello world'; ?>). Voila - you'll get the message "We don't play this game. Go away.": http://img1.uploadscreenshot.com/images/orig/12/34206350742-orig.png 4. mv hello.php hello.php5 and upload it again 5. have a look at the result of your work: http://www.youroxidshop.com/out/pictures/master/product/[# of your pic]/hello.php5 | ||||
| Additional Information | found by our partner mediaopt - Manuel Reiss | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
