Make a Lasting Impression

Join the Mailing List

Who's Online

10 user(s) are online (1 user(s) are browsing News and Articles)

Members: 0
Guests: 10

more...
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net
News and Articles > The ImpressCMS Project Announcement > Security Assessment - Redirect

Security Assessment - Redirect

Published by Tom on 2008/9/8 (6444 reads)
The ImpressCMS Security Team was recently notified of a potential security risk. After extensive assessments we have concluded this is not an actual risk, however we would like to make a formal statement to allow the community insight, this press release will contain the required details.The potential security risk revolved around the xoops_redirect located within user.php and someone gaining access to the directory, however after extensive research we believe the exploit would only show what the person would already know is there and could type into the address bar manually. ImpessCMS distributions ship with an index.html file within the folders that don't contain an index.php file which prevents directory browsing.

user.php?op=main&xoops_redirect=[FILE]

It was claimed this could be used as a file and server detection technique, however this still wouldn't resolve files located outside of the webroot such as those included in the trust path so no one could gain access to your database credentials. The only files which would show are those which are located within the webroot and it would be the same as simply typing the address and file name directly into your browser. You can't include any remote urls or traverse back to read files outside of the webroot

http://localhost/ or http://localhost/Test/

Important Notice:

We urge users to place simple index.html files within directories that either don't already have an index.php file or index.html. This is especially important for parent directories when you install in sub-directories. Not doing so could allow someone to browser your directories as a file archive.

We hope this sets your mind at ease, however should you have any questions at all then please direct them to our forums where a member of the community will be happy to assist you further.

We believe security is very important and appreciate all reports of potential vulnerabilities. If you think you've found something and would like us to look into it then please report it to member of our community.
Translations:




Translations Required:




Navigate through the articles
Previous article ImpressCMS 1.1 RC1 is Released ImpressCMS makes the cut - Packt Publishing Finals Next article
The comments are owned by the poster. We aren't responsible for their content.
Poster Thread
GibaPhp
Posted: 2008/9/9 17:49  Updated: 2008/9/9 17:50
Home away from home
Joined: 2007/12/4
From:
Posts: 2163
 Avaliação de Segurança - redirecionamento
Thanks team for this reported