Comment 4 for bug 1055232
Revision history for this message
| Hugh Davenport (hugh-davenport) wrote Re: XSS + design flaw = remote code exec | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
I have confirmed this for all versions back to 1.2, database independant.
I have also tested using the /bin/bash approach (there was a bug with modern browsers using multifile uploads, which will be a seperate patch), and this also allows remote code execution.
For point 2, I would suggest the fixes 2 and 3. Fix 3 is enough for the revshell uploaded file, but not enough for the /bin/bash (or other shell) approach. Fix 2 solves this, as only allows an administrator with access to the config.php file to change the path to this file (as with pathtozip and pathtounzip, and since 1.5 pathtoaspell).
For the XSS, fix 1 should be sufficient.
I would avoid fix 4 at this stage, as the file layout has been this way for a long time, and doesn't have any direct impact to the fixing of the other bugs
Cheers,
Hugh