[#12531] CWE - 434 : Unrestricted Upload of File with Dangerous Type
History
Comments
Date: 2022-02-21 16:48
Posted By: Ruud van der Velden (ruudvdvelden)
Thank you for reporting.
Please read this:
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability
Date: 2022-03-02 20:59
Posted By: tom (tomphantoo)
FWIW, my solution for this sort of thing has been:
1. An extra method FileTypeHelper::is_executable() to report browser-executable
files (.phtml etc)
2. Ignore attempted 'internal' uploading of files which are detected by that
method
3. In case such files get uploaded by another means, add (during CMSMS
installation or upgrade) an execution-blocking .htaccess or web.config into the
uploads folder