ms-files and mod_rewrite
I think I found a bug/exploit in the ms-files
However, we could only change between it serving up mimetype = css?version=1.0.2 or a 404 when it looks for ‘style.css?’
Upon reviewing the ms-files I found that it calls
$mime = wp_check_filetype( $_SERVER[ 'REQUEST_URI' ] );
$mimetype = 'image/' . substr( $_SERVER[ 'REQUEST_URI' ], strrpos( $_SERVER[ 'REQUEST_URI' ], '.' ) + 1 );
‘REQUEST_URI’ is the request with query strings, before mod-rewrite renders it. This means that not only does mod_rewrite not impact what ms-files servers up, but also appends query strings to file types which flow through to mimetype. I believe the preferred data should come from the REDIRECT_URL or another server var to at least avoid the query string. Or to check the REQUEST_URI for ‘?’ and chop the query string off.
if(isset($_SERVER[ 'REDIRECT_URL' ]) && !empty($_SERVER[ 'REDIRECT_URL' ])) $filerequested = $_SERVER[ 'REDIRECT_URL' ]; else $filerequested = $_SERVER[ 'REQUEST_URI' ]; ... $mime = wp_check_filetype( $filerequested ); ... $mimetype = 'image/' . substr( $filerequested, strrpos( $filerequested, '.' ) + 1 );
That way users can mod_rewrite what goes into ms-files, and also helps security as bots passing parameters such as ?command=touch+-235xxx+hackedfile would be dropped preventing exploits
- The topic ‘ms-files and mod_rewrite’ is closed to new replies.