New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PrettyURLs plugin: htaccess editor poses potential threats #379
Comments
Hello everyone, In general, the admin area is a secure area that is reserved for the admin only. I think editing the .htaccess file from the frontend is a cool feature. I therefore vote in favor of retaining this feature. With best regards |
Hi everyone, The PrettyURLs plugin currently allows administrators to directly edit the .htaccess file through its interface. This functionality can pose a significant security risk. For instance, administrators can add directives that treat non-standard file extensions as executable PHP files (e.g., AddType application/x-httpd-php .abc). An attacker who gains admin access could upload a malicious .abc file that executes arbitrary code when accessed, leading to Remote Code Execution (RCE). Suggested Actions:
|
Hello everyone, In principle, I think a check for integrity/strict validations and an additional security query is not wrong. ...but From further views:
Wouldn't we rather leave the validation and integrity check of the .htaccess file to the web server admin? This is more likely to determine which actions are permitted with the .htaccess file and which are not. In my view, it would be sufficient if an additional security prompt appeared after a change before the file was overwritten. As a quick, flexible solution: You could use the active FlatPress Protect plugin to hide the edit field. If the FlatPress Protect plugin is deactivated, the editing field is displayed. (Expert mode ON/OFF 😁 ) What do you think? With best regards |
Thanks for your detailed input, @JuyLang ! @Fraenkiman , it would be good to have the FlatPress Protect plugin activated by default - is there any reason not to? |
Seems a fitting solution to me, thanks a lot! |
As pointed out in #217 by @JuyLang, enabling the site admin to edit the .htaccess file directly may lead to remote code execution (RCE):
AddType application/x-httpd-php .abc
to .htaccess content -> this makes your web server treat .abc files as PHP files to be executedsome content <?php system($_GET['cmd']); ?>
Although all of the above is only possible when logged in as site admin properly, it is worth discussing if the .htaccess editor in the PrettyURLs plugin is really neccessary. If not, it should be removed.
Your opinions, please!
The text was updated successfully, but these errors were encountered: