Ticket #282 (closed defect: fixed)
fileFieldElement stores uploaded files in wide-open directory
|Reported by:||work@…||Owned by:||work@…|
The fileFieldElement allows ajax-upload of a file, but stores the files it upload in web-app/fileuploads which is a directory which is accessible from the web (e.g. http://ci.gscf.nmcdsp.org/fileuploads/subject importer_jildaur.xls)
This is a potential security flaw!
In order of preference, the following solutions should be applied:
1. store file uploads in a folder that is not accessible through the web (e.g. /tmp or a temp folder if you're running windoze)
2. if impossible (which I doubt) make sure that the folder is not accessible through the web (e.g. via url mappings or .htaccess)