View Issue Details

IDProjectCategoryView StatusLast Update
0006973OXID eShop (all versions)4.04. Securitypublic2019-07-31 11:19
Reportermarco_steinhaeuser Assigned To 
Status resolvedResolutionfixed 
Product Version6.1.3 
Fixed in Version6.1.4 
Summary0006973: Admin: File upload extension filter can be bypassed
DescriptionThe security of other file uploads in the admin interface was questioned and subsequently assessed. The reporter found that these endpoints use an insufficient blacklist approach to prohibit an admin from uploading potentially malicious files.
Steps To Reproducefor steps to reproduce pls visit
Additional InformationAffected File:

Affected Code:
protected $_aBadFiles = ['php', 'php3', 'php4', 'php5', 'phps', 'php6', 'jsp', 'cgi', 'cmf', 'exe'];

Not filtered extensions:
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined



2019-04-24 14:02

administrator   ~0012871