Security Issue: unauthenticated users can upload files about projectsend HOT 11 CLOSED

This seems to be because the function check_for_session(); being called in process-upload.php is not loaded and available when is executed directly - In testing I was able to immediately fix this by modifying the process-upload.php file to require includes/userlevel_check.php.

from projectsend.

Hi

does adding
require_once('header.php');
or
require_once('includes/userlevel_check.php');
fix the problem?

from projectsend.

Yes

from projectsend.

Hi,

Which one?
I'm a little bit confused..

require_once('sys.includes.php'); is already there and it's including
require_once(ROOT_DIR.'/includes/userlevel_check.php');
already so we don't need to add this...

So instead do we need to add require_once('header.php');

from projectsend.

No – the “fix” I put in was incorrect.
I had a syntax error in it, so it was actually blocking any uploads. When I fixed the typo, it still allowed the unauthenticated upload.

from projectsend.

I believe I have resolved the issue on my system by implementing two changes.

1. In process_upload.php modified line 8 to die if the return from check is false
2. In userlevel_check.php, added lines to the check_for_session() function to return true or false
   I was able to successfully upload files when logged in, but the direct upload via python script was unsuccessful.

from projectsend.

@mriolo
I can confirm that your changes are blocking the upload of unauthenticated users.

from projectsend.

+1 good
Thanks

from projectsend.

Hi
@baldzern4 @mriolo do you mind to check these security issues, if they are still present...
#80

Thanks

from projectsend.

Hi @lenamtl yes these are still present and they are really critical.
With just one call you can add a new admin to the system. This has to be fixed ASAP.
BR

from projectsend.

Hi I merge pulled requests about security fix, you can download the files and test it.

from projectsend.