View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006973 | OXID eShop (all versions) | 4.04. Security | public | 2019-04-24 13:25 | 2019-07-31 11:19 |
| Reporter | marco_steinhaeuser | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.1.3 | ||||
| Fixed in Version | 6.1.4 | ||||
| Summary | 0006973: Admin: File upload extension filter can be bypassed | ||||
| Description | The security of other file uploads in the admin interface was questioned and subsequently assessed. The reporter found that these endpoints use an insufficient blacklist approach to prohibit an admin from uploading potentially malicious files. | ||||
| Steps To Reproduce | for steps to reproduce pls visit https://bugs.oxid-esales.com/view.php?id=6973#c12864 | ||||
| Additional Information | Affected File: vendor/oxid-esales/oxideshop-ce/source/Core/UtilsFile.php Affected Code: protected $_aBadFiles = ['php', 'php3', 'php4', 'php5', 'phps', 'php6', 'jsp', 'cgi', 'cmf', 'exe']; Not filtered extensions: .phtml .pht | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
