Thanks Wendall.
Steven and I tested it this morning and had the same results. Unless php
is set as a image type, it won't go.
However, I don't want to be too cocky. I received an email from someone
who claimed they had some sites hacked. If anyone is able to reproduce
this exploit, please email us.
Thanks,
Matt and Steven
On Thu, 2005-02-24 at 16:26 -0800, Wendall Cada wrote:
> Hey all. There was a security announcement on BUGTRAQ
> http://www.securityfocus.com/archive/1/391496/2005-02-21/2005-02-27/0
>
> I tested and it is invalid. It can be exploited if you change the
> settings to allow for uploading of php files, which the submitter failed
> to mention. He also failed to mention OS/Server/PHP version as well.
> Maybe this does work on Personal Web Server for Windows 95, dunno. This
> should at least be a good example of why phpWebSite will never be
> permitted to insert code for any reason or in any form through the
> interface.
>
> Not sure how you want to respond to this Matt, but since it's already
> all over the internet, I'll just post it here and leave it up to you.
>
> Wendall
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Phpwebsite-developers mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers
--
Matthew McNaney
Electronic Student Services
Appalachian State University
http://phpwebsite.appstate.edu
|
