Wolfie Posted November 10, 2012 Share Posted November 10, 2012 I imagine that there wouldn't be any reason to NOT do this since I can't think of how it would break anything, so here's a small tweak that I think should be added to the core product.For hook files, check to make sure that the hook filename doesn't have any /'s or 's in it. Basically, eliminate the possibility of a file being outside of the hooks folder. With the recent exploit discovered, in another topic, someone mentioned finding files called on as hooks. I looked and saw it had happened to me too. There were two files being called on, with the filenames pointing to a different folder location to call the malicious file. For example, ../public/photo-128.jpg was the name of one of the files. If files with the slashes were to be ignored, such attempts would be pointless. It wouldn't stop a malicious file from being run in the hooks folder, but at least it would prevent attempts to mask where it's being stored at. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.