View Issue Details

IDProjectCategoryView StatusLast Update
0003428OXID eShop (all versions)4.04. Securitypublic2012-01-04 14:35
Reportermarco_steinhaeuser 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.5.5 revision 40299 
Target VersionFixed in Version4.5.6 revision 40808 
Summary0003428: executable files can be uploaded in admin
DescriptionVia admin -> picture upload, it is possible to upload executable files.
Steps To Reproduce1. Go to Admin -> Administer Products -> Products.
2. Choose any product and go to tab pictures.
3. Try to upload a PHP-File (hello.php with content <? echo 'hello world'; ?>). Voila - you'll get the message "We don't play this game. Go away.":
http://img1.uploadscreenshot.com/images/orig/12/34206350742-orig.png
4. mv hello.php hello.php5 and upload it again
5. have a look at the result of your work:
http://www.youroxidshop.com/out/pictures/master/product/[# of your pic]/hello.php5
Additional Informationfound by our partner mediaopt - Manuel Reiss
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Activities

mindaugas.rimgaila

2011-12-12 09:44

reporter   ~0005472

Added additional file extensions to "Black List" for file uploads