View Issue Details

IDProjectCategoryView StatusLast Update
14650Feature requestsSecuritypublic2020-07-24 09:19
ReporterDenisChenu Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Summary14650: Really throw error when user try to hack server
Description

Looking at https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8
I think it's a bad solution

  1. We must throw a Bad request is params is invalid
  2. We must throw a 401 if the file don't exist (here : white 200 empty page (i think))
Additional Information

Soluytion van be create a function like this

getAbsoluteFileName($fileName,$basedirectory)

Check final dir : throw a 400 if different
Check file exist : trow a 401 if not
Finally : return the absolute path of file

TagsNo tags attached.

Relationships

related to 13652 resolveddominikvitt Feature requests Revert to inherited button for modified files 
related to 16470 new Development  Use real http header instead of redirect for permission denial 

Activities

DenisChenu

DenisChenu

2019-03-14 18:07

developer   ~50991

Maybe in 4.0 if you're OK ?

DenisChenu

DenisChenu

2019-03-18 15:45

developer   ~51032

Last edited: 2019-03-18 15:48

View 2 revisions

@LouisGac and @c_schmitz : another reason to have a clear 400 or 401 or etc … : logging attack is something very important. And some tools get it to autoban IP

fail2ban for example : https://stackoverflow.com/questions/24250946/fail2ban-to-block-403-errors-apache

But better : https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/apache-noscript.conf (for 401 here)

Issue History

Date Modified Username Field Change
2019-03-14 18:07 DenisChenu New Issue
2019-03-14 18:07 DenisChenu Assigned To => LouisGac
2019-03-14 18:07 DenisChenu Status new => feedback
2019-03-14 18:07 DenisChenu Note Added: 50991
2019-03-14 18:07 DenisChenu Assigned To LouisGac =>
2019-03-18 15:45 DenisChenu Note Added: 51032
2019-03-18 15:45 DenisChenu Status feedback => new
2019-03-18 15:45 DenisChenu Relationship added related to 13652
2019-03-18 15:48 DenisChenu Note Edited: 51032 View Revisions
2020-07-24 09:19 DenisChenu Relationship added related to 16470