Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.0.8
-
None
Description
When you're going to edit any template file with ACP/Styles/Templates -> edit feature, you can access any files on webserver by replacing the value for name=template_file in form input tag with any path going upwards, like
..../..../..../index.php
|
As a result you can read any files (imagine config.php) as well as write any custom code (including shells/etc) into writable directories like /cache.
The problematic code is in includes/acp/acp_styles.php, function edit_template():
// make sure template_file path doesn't go upwards
|
$template_file = str_replace('..', '.', $template_file);
|
which doesn't really make its job since ..../ is being replaced with ../ and hence allows you to go directory upwards anyway.
Never let your co-admins (who doesn't have founder permissions / ftp access) to use ACP template edit feature until this bug is unfixed 