Join the Mailing List
Security Assessment - RedirectPublished by Tom on 2008/9/8 (7058 reads)
The ImpressCMS Security Team was recently notified of a potential security risk. After extensive assessments we have concluded this is not an actual risk, however we would like to make a formal statement to allow the community insight, this press release will contain the required details.The potential security risk revolved around the xoops_redirect located within user.php and someone gaining access to the directory, however after extensive research we believe the exploit would only show what the person would already know is there and could type into the address bar manually. ImpessCMS distributions ship with an index.html file within the folders that don't contain an index.php file which prevents directory browsing.
It was claimed this could be used as a file and server detection technique, however this still wouldn't resolve files located outside of the webroot such as those included in the trust path so no one could gain access to your database credentials. The only files which would show are those which are located within the webroot and it would be the same as simply typing the address and file name directly into your browser. You can't include any remote urls or traverse back to read files outside of the webroot
http://localhost/ or http://localhost/Test/
We urge users to place simple index.html files within directories that either don't already have an index.php file or index.html. This is especially important for parent directories when you install in sub-directories. Not doing so could allow someone to browser your directories as a file archive.
We hope this sets your mind at ease, however should you have any questions at all then please direct them to our forums where a member of the community will be happy to assist you further.
We believe security is very important and appreciate all reports of potential vulnerabilities. If you think you've found something and would like us to look into it then please report it to member of our community.