View Issue Details

IDProjectCategoryView StatusLast Update
0006973OXID eShop (all versions)4.04. Securitypublic2019-07-31 11:19
Status resolvedResolutionfixed 
Product Version6.1.3 
Target VersionFixed in Version6.1.4 
Summary0006973: Admin: File upload extension filter can be bypassed
DescriptionThe security of other file uploads in the admin interface was questioned and subsequently assessed. The reporter found that these endpoints use an insufficient blacklist approach to prohibit an admin from uploading potentially malicious files.
Steps To Reproducefor steps to reproduce pls visit
Additional InformationAffected File:

Affected Code:
protected $_aBadFiles = ['php', 'php3', 'php4', 'php5', 'phps', 'php6', 'jsp', 'cgi', 'cmf', 'exe'];

Not filtered extensions:
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined



2019-04-24 14:02

administrator   ~0012871