Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#14207] - [com_fields] [3.7b3] [SECURITY] The Gallery Fields

?
avatar PhilETaylor
PhilETaylor
23 Feb 2017

Steps to reproduce the issue

Add a Gallery field with a directory setting outside of the Joomla root

screen shot 2017-02-23 at 17 16 30

Expected result

I expect that Joomla should not be able to go outside its webspace

Actual result

Time out on my local machine as ../../../ eventually gets to the / and tries to list all folders on my mac

With different values of "directory" I can access different places on the server

System information (as much as possible)

Additional comments

avatar PhilETaylor PhilETaylor - open - 23 Feb 2017
avatar joomla-cms-bot joomla-cms-bot - change - 23 Feb 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 23 Feb 2017
avatar PhilETaylor
PhilETaylor - comment - 23 Feb 2017

Also if I set the folder to be (outside of the joomla root) /Users/phil/Sites/remotebfb/Users/phil/Dropbox/CameraUploads

And then select "One"., the folder name that is at /Users/phil/Sites/remotebfb/Users/phil/Dropbox/CameraUploads/One

And then render on the frontend I get:

screen shot 2017-02-23 at 17 26 50

avatar zero-24
zero-24 - comment - 23 Feb 2017

see #14216

avatar zero-24 zero-24 - change - 23 Feb 2017
Status New Closed
Closed_Date 0000-00-00 00:00:00 2017-02-23 18:53:12
Closed_By zero-24
avatar zero-24 zero-24 - close - 23 Feb 2017

Add a Comment

Login with GitHub to post a comment