Headline
CVE-2023-4196: Prevent uploading .phps + .html files in assets manager · Cockpit-HQ/Cockpit@039a00c
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
Expand Up
@@ -67,6 +67,8 @@
$allowed = $allowed == ‘*’ ? true : str_replace([' ', ‘,’], ['’, ‘|’], preg_quote(is_array($allowed) ? implode(',’, $allowed) : $allowed));
$max_size = $this->app->retrieve('assets/max_upload_size’, 0);
$forbidden = ['php’, 'phar’, 'phtml’, 'phps’, 'htm’, 'html’, ‘htaccess’];
if (isset($files[‘name’]) && is_array($files[‘name’])) {
$cnt = count($files[‘name’]);
Expand All
@@ -78,7 +80,7 @@
$_sizeAllowed = $max_size ? filesize($files[‘tmp_name’][$i]) < $max_size : true;
// prevent uploading php files
if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), ['php’, 'phar’, 'phtml’, ‘phps’])) {
if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), $forbidden)) {
$_isAllowed = false;
}
Expand Down
Related news
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS.