Developing (v7+)

Possible Security Flaw in Concrete5

Permalink July 27, 2012 at 12:45 PM

I don't know if this has been fixed in the current version, but one of our sites failed a security test. The download_file url in concrete allows malicious users to change the url to add directory traversing such as ../ This means they could look a link to the file manager that is something like this:

http://www.mainstreetartsfest.org/index.php/download_file/1234/567

and change it to something like this:

http://www.mainstreetartsfest.org/index.php/download_file/1234/567/../../../../somedir/MySecureFile.xml

is there a way to prevent this behavior?

andrew replied on Jul 27, 2012 at 1:00 pm Permalink Reply

Hmm. I don't believe this is correct. I'm familiar with directory traversal bugs but the numbers in the URLs are just IDs. They aren't being passed to a download function.

Can you post an example of an inappropriate file being served?

fregas replied on Jul 27, 2012 at 1:06 pm Permalink Reply

can i private message that to you?

Forums

Developing (v7+)

Possible Security Flaw in Concrete5

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?