View Issue Details

IDProjectCategoryView StatusLast Update
0006973OXID eShop (all versions)4.04. Securitypublic2019-07-31 11:19
Reportermarco_steinhaeuser Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version6.1.3 
Fixed in Version6.1.4 
Summary0006973: Admin: File upload extension filter can be bypassed
DescriptionThe security of other file uploads in the admin interface was questioned and subsequently assessed. The reporter found that these endpoints use an insufficient blacklist approach to prohibit an admin from uploading potentially malicious files.
Steps To Reproducefor steps to reproduce pls visit https://bugs.oxid-esales.com/view.php?id=6973#c12864
Additional InformationAffected File:
vendor/oxid-esales/oxideshop-ce/source/Core/UtilsFile.php

Affected Code:
protected $_aBadFiles = ['php', 'php3', 'php4', 'php5', 'phps', 'php6', 'jsp', 'cgi', 'cmf', 'exe'];

Not filtered extensions:
.phtml
.pht
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined

Activities

QA

2019-04-24 14:02

administrator   ~0012871

-MK