Code injection via file names
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Chameleon (inactive) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
On Unix, almost all characters can be used in filenames. This means the following filenames can be used:
<script>
' OR 1=1--.txt
' style='test'.txt
On certain places, this can cause problems. In Admin::
In app/views/
if @entry and @entry.type.name == "image" and @entry.
"<a href='/" + @entry.contents + "'>View the currently uploaded image</a>" +
"<br />Upload a new image: "
end
@entry.contents should be URL escaped.
It is possible that there are still other vulnerabilities related to filenames, in other code. This needs to be checked.
(This error was found thanks to a presentation available at http://
Please note this vulnerability can only be triggered by the administrator, or by someone accidentally uploading files with a vulnerable name.