phpThumb setting - potential security issue

More
11 years 8 months ago #28219 by kenmcd
phpThumb setting - potential security issue was created by kenmcd
Split from original thread/post here:
www.flexicontent.org/forum/index.php?f=2...b_v=viewtopic#p28217

ggppdk wrote: About phpthumb:
i ll change the configuration variable
. . .


Are you sure this will not create other potential security issues?
That allows phpThumb access above the website root.
This could be a big server security problem.

I doubt changing that parameter is the correct solution to this user's issue.

This user has ownership/permissions issues.
And perhaps some other server security related settings are the problem.
Clearly anyone changing directories to 777 has no idea what they are doing.

This just seems like a bad idea for most users without server issues.
AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

More
11 years 8 months ago #28220 by ggppdk
Replied by ggppdk on topic phpThumb setting - potential security issue
You are right it could be a security problem,

but only if a security problem for phpthumb is discovered and an exploit for it is created,

currently, at most this would allow someone to view pictures

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
11 years 8 months ago #28240 by kenmcd
Replied by kenmcd on topic phpThumb setting - potential security issue
Security issues in the earlier version of phpThumb used in the original FLEXIcontent allowed some FLEXIcontent user's websites to be compromised.
I found the patches out on the web and fixed my own version.
So this issue is still on my mind.

I do not think one user's ownership/permissions/server issues justifies opening a potential hole for all other users.
Seems to be a work-around not an actual solution.
That is my concern.

But you obviously know more than I do about PHP programming so I respect your decision.
;)
AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

More
11 years 8 months ago #28241 by kenmcd
Replied by kenmcd on topic phpThumb setting - potential security issue
Split posts and moved to our private development forum.
For open discussion.
;)
AllMedia4Joomla Project
Download AllMedia YouTube Feed Gallery module

Please Log in or Create an account to join the conversation.

More
11 years 8 months ago #28244 by ggppdk
Replied by ggppdk on topic phpThumb setting - potential security issue
-- mmm, recently we have updated to newer phpThumb version,
... but i have not commited this change, because of little time to check this, and i cannot be sure of it

-- about security it is important always,
e.g. v1.5.6 / v2.0 has form tampering checks to verify that the HTML the form has not been altered to e.g.
- sumbit (assign item) to an non-allowed category,
- or publish item when not allowed,
- or approve version when not allowed,
- or take advantage of menu-item submit for overcoming permissions

these gave us a few bugs initially, but they were worth it

Ken, have you noticed an hacking of the forum, i had a couple of people telling me that forum was hacked to display viagra pills etc, or was it SPAM posting?

-- Flexicontent is Free but involves a big effort on our part.
Like the our support? (for a bug-free FC, despite having a long list of functions) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing with a 5-star...

Please Log in or Create an account to join the conversation.

More
11 years 8 months ago #28265 by micker
Replied by micker on topic phpThumb setting - potential security issue
A question phpthumb is realy a good solution ?
FLEXIcontent is Free but involves a very big effort on our part.
Like the our support? (for a bug-free FC, despite being huge extension) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing reviews. Thanks![/size]

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.325 seconds

Last FLEXI-site

Last Faq articles

Newsletter

Last Tutos about FLEXIcontent

Login

Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline