You are not logged in.
Hello;
I have a problem,
On my site I use Xinha and ImageManager that is within a area restricted (Control Panel),
but after image cadastre, I access from another computer which did not attend any session with the site and run the script directly to delete the image
example:
http://"URL"/xinha/plugins/ImageManager/backend.php?__plugin=ImageManager&__function=images&dir=/&delf=a.jpg
To delete other images just change the image name in the end. I fear how to restrict this access to people without permission?
This is not a bug, right?
Offline
Yes probably is a bug really, there is not sufficient checking to prevent deleting *from the default directory*.
You should use a different directory (images_dir) than the default (which is "demo_images"), and do NOT set the directory in the config.inc.php, use the proper passing method, this will make it much harder for people to attack.
with(xinha_config.ImageManager)
{
<?php
require_once('/path/to/xinha/contrib/php-xinha.php');
xinha_pass_to_php_backend(
array(
'images_dir' => '/path/to/images',
'images_url' => '/images',
'allow_upload' => true
)
);
?>
}James Sleeman
Offline
Hello Gogo;
Thanks for the quick response;
Sorry
not found the place to put trim
code.
Offline
Offline
Ok sorry my inattention
Do you think I should create a bug ticket?
I'm with my team implementing some changes
As this plugin is for php, we are thinking to inform the name of the session that must be checked before running the backend.
adding a single line in the file backend.php,
which must verify that the name of the session was set in the settings,
if set, checks the session is active if you're not generate an exception.
This way does not affect users who already use Xinha
what do you think?
I reports the bug? make and suggest changes?
Last edited by Lucas Vianna (2010-07-07 12:13:41)
Offline
Your checks seem like a fine idea to me, for your specific case.
You can report a bug for ImageManager that it should check more carefullly that delete etc is permitted, but if it gets fixed is another question (of course, you could fix it and submit a patch :-)).
James Sleeman
Offline