Hi,
An admin user can upload a zipped file and extract it in the plugin path. However, this can be used to take over the server by uploading a PHP shell. I am just wondering if this is expected behavior?
Thanks!
ahussam
All 6 comments
Only admins can , if admin want to burn the server ...
akhilleusuggo
on 21 May 2020
@akhilleusuggo There is a way that can force him to do that with CSRF.
ahussam
on 21 May 2020
Why an admin would do that ? Would you do that to yourself ?
akhilleusuggo
on 21 May 2020
@akhilleusuggo https://portswigger.net/web-security/csrf
ahussam
on 21 May 2020
It is always good to look in these things if someone got admin access outside the normal way you can prevent that other code is injected into your server.
ronaldod
on 21 May 2020
In the configuration.php file, there is a variable called $global['disableAdvancedConfigurations'] = 0;
if you set it = 1 it will disable most of the dangerous features (even for Admins). I must use this on the demo site.
DanielnetoDotCom
on 21 May 2020
Related issues
akhilleusuggo
路
3Comments
alejandrolidon
路
3Comments
matthall1998
路
4Comments
mikweb2017
路
4Comments
snowdream1985
路
3Comments