Posted on Monday 3 July 2017 by Laposa Ltd

One great security feature Onxshop has is the way how user uploaded files are saved. Onxshop is saving all files outside of web folder, which means that it is not possible to execute any files uploaded by users. 

Here is an example how effective the Onxshop way is agains this type of security hole.

On our demo site, which is open to public CMS users, somebody tried to upload this .htaccess file, which allows to interpret PNGs as PHP script files. 

var/files/.htaccess
AddType application/x-httpd-php .png

The attacker then uploaded a script similar to this:

var/files/png.png
<?php # Web Shell by oRb
$auth_pass = "63a9f0ea7bb98050796b649e85481845";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","********");

Of course, it was rendered as completely useless and the attacker didn't gain any access to the website.

For example in Wordpress, backdoors can be hidden in scripts similar to this: /wp-content/upgrade/wp-mails.php

It looks like a genuine Wordpress script, but it's actually a file uploaded under a CMS user. This type of files are then used for sending spams, or executing DDoS attack.

Laposa Ltd
58 Howard Street
Belfast BT1 6PJ

info@laposa.co.uk
+44 (28) 9032 8988
+353 (48) 9032 8988