CRITICAL SECURITY VERSION UPDATE:
https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.13

Insecure generation of "file" type fields in form_fields method of Base_module_model class

futbolsalas15futbolsalas15
edited August 2012 in Bug Reports
When we create modules, one way we can generate file type fields in the form is using the following instructions (as an example):

class Items_venta_model extends Base_module_model{
...
public function form_fields($values = array())
{
...
$fields['ITVE_DESCARGA']['type'] = "file";
$fields['ITVE_DESCARGA']['upload_path'] = "D:/Archivos de Programa/winginx/home/localhost/public_html/colosoft/assets/images/products/";
$fields['ITVE_DESCARGA']['overwrite'] = TRUE;
}
}

The problem is that fuel generate the following HTML code: http://s16.postimage.org/nt7ygyac5/bug_fuel_cms_01.png

In this way, a hacker would know the path of the directory of the server.

I would appreciate that give priority to this bug, because I consider that is critical for create secure modules. Thanks!

Comments

  • adminadmin
    edited 10:04PM
    Thanks for the report. We have implemented a change to encrypt that value and decrypt upon submit on the 1.0 branch. This branch will be the next major release and contains a ton of new features and improvements.
    https://github.com/daylightstudio/FUEL-CMS/tree/1.0

    If you cannot use the 1.0 branch, perhaps you could implement something similar on your model using the on_before_post hook to decrypt the upload_path on the $_POST variable that eventually gets used in processing the uploaded file.
  • futbolsalas15futbolsalas15
    edited 10:04PM
    Thanks for your help!
Sign In or Register to comment.