View Issue Details

IDProjectCategoryView StatusLast Update
14650Feature requests[All Projects] Securitypublic2019-03-18 15:48
ReporterDenisChenuAssigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary14650: Really throw error when user try to hack server
Description

Looking at https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8
I think it's a bad solution

  1. We must throw a Bad request is params is invalid
  2. We must throw a 401 if the file don't exist (here : white 200 empty page (i think))
Additional Information

Soluytion van be create a function like this

getAbsoluteFileName($fileName,$basedirectory)

Check final dir : throw a 400 if different
Check file exist : trow a 401 if not
Finally : return the absolute path of file

TagsNo tags attached.

Relationships

related to 13652 resolveddominikvitt Feature requests Revert to inherited button for modified files 

Activities

DenisChenu

DenisChenu

2019-03-14 18:07

developer   ~50991

Maybe in 4.0 if you're OK ?

DenisChenu

DenisChenu

2019-03-18 15:45

developer   ~51032

Last edited: 2019-03-18 15:48

View 2 revisions

@LouisGac and @c_schmitz : another reason to have a clear 400 or 401 or etc … : logging attack is something very important. And some tools get it to autoban IP

fail2ban for example : https://stackoverflow.com/questions/24250946/fail2ban-to-block-403-errors-apache

But better : https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/apache-noscript.conf (for 401 here)

Issue History

Date Modified Username Field Change
2019-03-14 18:07 DenisChenu New Issue
2019-03-14 18:07 DenisChenu Assigned To => LouisGac
2019-03-14 18:07 DenisChenu Status new => feedback
2019-03-14 18:07 DenisChenu Note Added: 50991
2019-03-14 18:07 DenisChenu Assigned To LouisGac =>
2019-03-18 15:45 DenisChenu Note Added: 51032
2019-03-18 15:45 DenisChenu Status feedback => new
2019-03-18 15:45 DenisChenu Relationship added related to 13652
2019-03-18 15:48 DenisChenu Note Edited: 51032 View Revisions