Chameleon (inactive)

Code injection via file names

Bug #184390 reported by JW on 2008-01-19

252

Affects		Status	Importance	Assigned to	Milestone
	Chameleon (inactive)	Invalid	Undecided	Unassigned

Bug Description

On Unix, almost all characters can be used in filenames. This means the following filenames can be used:
  <script>alert(1)</script>.txt
  ' OR 1=1--.txt
  ' style='test'.txt

On certain places, this can cause problems. In Admin::EntriesController#write, no SQL is directly called, all filenames that are stored in the database should be escaped properly.

In app/views/admin/entries/_type_image.rhtml and .../_type_music.rhtml, however, the following is written:
  if @entry and @entry.type.name == "image" and @entry.contents.length != 0
    "<a href='/" + @entry.contents + "'>View the currently uploaded image</a>" +
    "<br />Upload a new image: "
  end
@entry.contents should be URL escaped.

It is possible that there are still other vulnerabilities related to filenames, in other code. This needs to be checked.

(This error was found thanks to a presentation available at http://events.ccc.de/congress/2007/Fahrplan/events/2212.en.html)

Revision history for this message

JW (jw-00000) wrote on 2008-01-19:

Please note this vulnerability can only be triggered by the administrator, or by someone accidentally uploading files with a vulnerable name.

Revision history for this message

JW (jw-00000) wrote on 2008-01-19:

This is not a problem, since filenames are saved using their ID. So, filenames are always replaced with numbers.

Changed in chameleon:
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.