We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

security remote code execution | Forum

Topic location: Forum home » Support » General Questions
scott lamburne
scott lamburne Aug 5 '14

Hi all I came across this when checking security on my site.  Its it of concern?


Oxwall suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory. Version 1.7.0 (builds 7907 and 7906) are affected.


http://packetstormsecurity.com/files/127653/ZSL-2014-5196.txt

Wilson
Wilson Aug 5 '14
This exploit hack is just for 1.7.0 build right?...not 1.6.0...I'm still in 1.6.0 build!

Wilson
Daisy Team
Daisy Aug 5 '14
Guys, we are aware of this vulnerability and it will be eliminated in the upcoming update.
Please do not worry, this vulnerability is quite harmless since to perform the described actions, you have to be logged into the site under the main administrator account.
scott lamburne
scott lamburne Aug 6 '14
Thanks for the update,  just wanted to make sure its not a major problem.  Great to see your on top of it.  Thanks again.
Daisy Team
Daisy Aug 6 '14
Thank you for your reports. :)
Wilson
Wilson Aug 6 '14
Is there a date for this upcoming update...security patch ?

Wilson
Daisy Team
Daisy Aug 6 '14
We plan the release in late August, but I don't have any details or time estimate to share for now though.