Author Topic: Image replacing delete public_html  (Read 627 times)

nick_iFactory

  • Beginner
  • *
  • Posts: 2
Image replacing delete public_html
« on: April 10, 2014, 02:29:06 am »
We've been investigating a weird bug we had when developing one of our sites recently and. We're not 100% sure on cause of this but I'll post what we've seen so far.


The bug happens when uploading/replacing images in the backend of virtuemart and can cause the front end (except home page) to go down with a 403 forbidden error. I believe the error symptoms are more related to our server setup but the cause may still be a bug and may cause different problems on different servers

The two ways we've been able to reproduce it so far

both of these we have been attempting on manufacturer
administrator/index.php?option=com_virtuemart&view=manufacturer&task=edit&virtuemart_manufacturer_id[]=11

First way
Have one image already successfully uploaded and go to edit images tab
Delete this image using the red x in the top "images" section (do not save)
In the "Upload File" section choose a file and select "Replace" or "Replace Thumb"
Now click save

You should get an error saying something like "Failed Deleting public_html"
When it attempted to delete public_html our server seemed to do some weirdness which I think is fairly unrelated to virtuemart but caused front end to go down with a 403 forbidden error. From what I can see it somehow sets the folder to permissions 777 which then causes weird issues with scripts and php files, but I believe that is much more to do with our server setup.

Second Way
Follows the same process as the first way but instead of deleting the image you need to find a image that has no thumbnail url
Trying to replace an image with no thumbnail url seems to cause the same error

I'm a bit less certain about this one as I have trouble finding the cause of an image being uploaded and not automatically creating a thumb but diving into our DB I was able to find some categories/manufacturers that had no thumbnail urls most of these where ones we have been repeatedly uploading when attempting to hunt down this bug


From my guessing I'd say this is virtuemart is running a delete on file url by combining root url (public_html) with the image url. If the image url is blank however it just tries to delete public_html, which is something that I don't think should happen.

The first way is more of an exploit through improper use, the second way I am a bit more worried about as it is more likely to occur through client use if you have images with no thumbnails for whatever reason.

We are currently trying to find where this is happening and if there is some check for blank urls that is not happening or not working properly.


More Info
Virtuemart: 2.0.26d
Joomla: 2.5.17
Server: apache