Restrict upload file types

cbryant · February 1, 2018, 11:57am

Hi All,

I was hoping someone could help me with an issue i’m having. I’ve recently installed the latest version of XWIKI and am going through a hardening process. My current issue is that users can upload any filetype extension using the following:

upload

This is a massive security flaw as filetypes such as web shells and other custom code can be uplaoded. I need some guidance on how to restrict this options and for it to take affect throughout the entire application including the CKEditor.

I appreciate the help,

Kind regards,
Callum

cbryant · February 2, 2018, 12:04am

Hi All,

So after much hair pulling, I finally found the answer and wanted to share with everyone in case anyone has this issue in the future. I spent ages trying to workout how to edit the upload function, this seemed to be the hardest part as locating this file or extension or whatever it could have been was infuriating.

I decided to go back to basics instead of trawling the internet. So I inspected the source could of one of my pages which has the upload function at the bottom and noticed that the file was being controlled by the upload.js file, if you click on the location of this file i.e. the src="<wiki_domain>/location/of/file/upload.js" you can then view the contents of this file. I then stumbled upon the following documentation:

http://www.xwiki.org/xwiki/bin/view/Documentation/DevGuide/FrontendResources/HTML5Upload/

This shows that there is a filter available but it’s defaulted to allowing all MIME types and even shows the regex style for formatting, there example is images. I then looked in the upload.js file in the browser and looked for the variable ‘fileFilter’ which amazingly was there and looks like this, just a small snippet of the file:

{options:{maxFilesize:a,fileFilter:/.*/i

I then needed to find this file so proceeded to hunt this down, just so you know I installed the wiki on a ubuntu box, so the location of this file for me was:

/usr/lib/xwiki/resources/uicomponents/widgets/upload.js

I then proceeded to find that regex and after some playing around changed the code to look like the following:

{options:{maxFilesize:a,fileFilter:/image\/png|image\/jpeg|application\/powerpoint|application\/msword|application\/pdf/i

Then I restarted the tomcat8 server to make sure the changes have been implemented and low and behold only the following files were permitted: PNG, JPEG, PowerPoint, Word, and PDF.

You can obviously change the files that you want and make the restrictions more open for example allowing all image types would look like the following:

/image\/.*/i

I know this is a massive post but wanted to make it clear to all how to fix this issue. There is a massive security risk to the application and the server if users can upload any files types, I would highly recommend locking this functionality down.

Hope it’s helped

Callum

mflorea · February 2, 2018, 10:35am

The source for this file is https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-web/src/main/webapp/resources/uicomponents/widgets/upload.js#L395 (with the filter line highlighted).

You don’t need to restart Tomcat for JavaScript changes. You just need to force refresh the browser cache.

Can you give more details on this? The attachments are not executed on the server. They are just stored. If you’re worried about the users that download the attachments, then there are two related configuration properties available https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.properties.vm#L638 .

cbryant · February 6, 2018, 3:57pm

Hi,

Appreciate the information. I’ve made the appropirate changes already and the restrictions work great on the upload function at the bottom of the page but can still be bypassed by the CKEditor when “Sending to server” which is awful. I’m still concerned as even hosting malicious files is a big no no when it comes to good security practice. I’ve include an AV scanner on the host server but i can’t find where the attachments get sent. If i could find out where they are then i can work out how to change this and set them up in a sandbox and scan them with AV.

Kind regards,
Callum

mflorea · February 7, 2018, 10:10am

See http://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentStorage .

cbryant · February 7, 2018, 2:50pm

I have read that but was concerned about the following statement:

“The Filesystem Attachment Store puts your attachments into a directory tree on the hard disk, the directory structure is designed to be intuitive to navigate but you should never add or remove anything. Each attachment is accompanied by a piece of meta-data in the database and modifying the content in the filesystem store manually will lead to meta-data with no content or content with no meta-data.”

So if i was to use an AV scanner and remove any malicious files that make it past the upload restrictions then surely this would cause an issue to the meta-data in the database?