PrettyURLs plugin: htaccess editor poses potential threats

[azett]

As pointed out in #217 by @JuyLang, enabling the site admin to edit the .htaccess file directly may lead to remote code execution (RCE):

• Go to Admin Area / Plugins / PrettyURLs Config
• add AddType application/x-httpd-php .abc to .htaccess content -> this makes your web server treat .abc files as PHP files to be executed
• upload a test.abc file with content some content <?php system($_GET['cmd']); ?>
• Call http://yourflatpress/fp-content/attachs/test.abc?cmd=whoami -> boom, RCE ☠️

Although all of the above is only possible when logged in as site admin properly, it is worth discussing if the .htaccess editor in the PrettyURLs plugin is really neccessary. If not, it should be removed.

Your opinions, please!

[Fraenkiman]

Hello everyone,

In general, the admin area is a secure area that is reserved for the admin only. I think editing the .htaccess file from the frontend is a cool feature. I therefore vote in favor of retaining this feature.

With best regards
Frank

[JuyLang]

Hi everyone,

The PrettyURLs plugin currently allows administrators to directly edit the .htaccess file through its interface. This functionality can pose a significant security risk. For instance, administrators can add directives that treat non-standard file extensions as executable PHP files (e.g., AddType application/x-httpd-php .abc). An attacker who gains admin access could upload a malicious .abc file that executes arbitrary code when accessed, leading to Remote Code Execution (RCE).

Suggested Actions:

• Evaluate whether direct .htaccess editing is essential for this plugin. If not, consider removing this capability.
  Restrict Editing: If editing is deemed necessary, implement strict validations and restrictions on what can be edited to prevent the insertion of potentially dangerous directives.
• Implement additional security checks to verify the integrity and intentions of modifications being made to .htaccess through the plugin.
• Limiting direct editing access to .htaccess files and ensuring robust validation can greatly enhance the security posture of our application.

[Fraenkiman]

Hello everyone,

In principle, I think a check for integrity/strict validations and an additional security query is not wrong. ...but

From further views:

• The FlatPress admin can also change the .htacces file via SSH/FTP access and thus import potentially dangerous instructions.

• With the Inline PHP plugin, which is not part of the standard distribution, we also offer a tool that allows the admin to execute any PHP code from a FlatPress page/post.

• Some FlatPress admins have other web applications running on the same server, which require further changes to the .htaccess file. This makes integrity checks and strict validations even more complex.

• Apache web servers are no longer as widespread as they were 10 years ago. To my knowledge, it is currently below 50% worldwide.

Wouldn't we rather leave the validation and integrity check of the .htaccess file to the web server admin? This is more likely to determine which actions are permitted with the .htaccess file and which are not.

In my view, it would be sufficient if an additional security prompt appeared after a change before the file was overwritten.

As a quick, flexible solution: You could use the active FlatPress Protect plugin to hide the edit field. If the FlatPress Protect plugin is deactivated, the editing field is displayed. (Expert mode ON/OFF 😁 )
https://github.com/Fraenkiman/flatpress/archive/refs/heads/issue379-FlatPress-Protect-plugin-hides-the-.htaccess-edit-field.zip
#382

What do you think?

With best regards
Frank

[azett]

Thanks for your detailed input, @JuyLang !
I like @Fraenkiman 's idea of letting the FlatPress Protect plugin deactivate the htaccess editing possibilities of the PrettyURLs plugin. This way, the problem would be fixed, but still letting the site admin decide.

@Fraenkiman , it would be good to have the FlatPress Protect plugin activated by default - is there any reason not to?

[Fraenkiman]

@azett
I have added a supplement to the master branch with ba06aa3, which:

1. the FlatPress Protect plugin is activated by default.
2. in the admin menu PrettyURLs, the user is shown the appropriate message depending on the status.

That would close this issue.

What do you think?

[azett]

Seems a fitting solution to me, thanks a lot!