Differences

This shows you the differences between two versions of the page.

Link to this comparison view

kcfinder_vulnerability [2014/03/02 19:42] (current)
joebordes created
Line 1: Line 1:
 +====== KCFinder Vulnerabilty ======
  
 + [[http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2014-February/025822.html|Vulnerability Summary for KCFinder ]]
 +
 +
 +Thanks to Portcullis security advisories who were kind enough in providing the details and assistance to get the security hole fixed that existed with kcfinder library packaged in earlier version of Vtiger CRM.
 +
 +**Summary**:
 +kcfinder was letting the authenticated (logged in) CRM user gain access to readable files outside the web-directory on the server. 
 +
 +**Update**:
 +The fix devised to kcfinder (at changeset 14021) will restrict access to files outside web-directory on the server now. 
 +
 +{{:vulnerabilidad:kcfinder_vulnerability.diff|this is the patch that fixes the issue}}
 +
 +<code>
 +Index: kcfinder/core/browser.php
 +===================================================================
 +--- kcfinder/core/browser.php (revisión: 7055)
 ++++ kcfinder/core/browser.php (copia de trabajo)
 +@@ -286,6 +286,10 @@
 +         )
 +             $this->errorMsg("Unknown error.");
 + 
 ++ if(!$this->filePathAccessible($file)) {
 ++ $this->errorMsg("Invalid file location access.");
 ++ }
 ++
 +         header("Pragma: public");
 +         header("Expires: 0");
 +         header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 +@@ -309,6 +313,10 @@
 +         )
 +             $this->errorMsg("Unknown error.");
 + 
 ++ if(!$this->filePathAccessible($file)) {
 ++ $this->errorMsg("Invalid file location access.");
 ++ }
 ++
 +         $newName = trim($this->post['newName']);
 +         if (!strlen($newName))
 +             $this->errorMsg("Please enter new file name.");
 +@@ -335,6 +343,12 @@
 + 
 +     protected function act_delete() {
 +         $dir = $this->postDir();
 ++
 ++ $file = "$dir/{$this->post['file']}";
 ++ if(!$this->filePathAccessible($file)) {
 ++ $this->errorMsg("Invalid file location access.");
 ++ }
 ++
 +         if ($this->config['readonly'] ||
 +             !isset($this->post['dir']) ||
 +             !isset($this->post['file']) ||
 +@@ -769,6 +783,16 @@
 +             die($this->output(array('message' => $message), 'error'));
 +         }
 +     }
 ++
 ++ protected function filePathAccessible($file) {
 ++ // Ensure the file operation is constrained to the uploadDir configured.
 ++ $uploadDirPath = realpath($this->config['uploadDir']);
 ++ $filePath = realpath($file);
 ++ if (strpos($filePath, $uploadDirPath) !== 0) {
 ++ return false;
 ++ }
 ++ return true;
 ++ }
 + }
 + 
 + ?>
 +\ No newline at end of file
 +</code>