[pLog-svn] r6278 - in plog/branches/lifetype-1.2/class:data/validator misc test/tests/misc

[Jon Daley]

 	Okay, I agree that 1.2.x with encoded file names is okay. 
test.PHP could be successfully uploaded, but it would be renamed to 
/1/1-69.php which would then be disallowed by the apache rule.
 	Hosts that don't allow Limit directives in their .htaccess would 
be vulnerable.  I don't know what stuff hosts typically don't allow. 
There have definitely been some users who have had to remove the htaccess 
files in order to allow their blog to work.


On Sat, 29 Mar 2008, Jon Daley wrote:

> On Sun, 30 Mar 2008, Mark Wu wrote:
>> This issue only happened when user use the original file name format,
>> because it will keep the original name, just like "phpinfo.PHP"
> 	I was wondering if that were the case.  I convinced myself that it 
> could happen with encoded names too.  The file is saved a 123.php or 
> something, right?  And then as long as you knew the name, you could still 
> access it directly couldn't you?
>
>> BTW, the apache document is wrong. The addType is "case-insensitive" ....
> 	Yes.  I just verified on a 1and1 installation that .PHP works fine.
>
>> So, 1.0 & 1.1 are okay. 1.2 with encoded file name is okay,too. But 1.2 
>> with
>> original file name is not okay.
> 	I think the only reason that the encoded names are okay is because 
> there is a strtolower on the extension during the upload?  Otherwise, 
> /gallery/1/1-69.PHP would still be accessible.  There have been some 
> different strtolower issues with resources recently, I am not sure if the 
> current 1.2-dev encoded names are okay, but 1.2.6 would not be?  I'll try to 
> revert those changes and see if I can break it.
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

If at first you don't succeed, you're doing about average.
-- Leonard Levinson