[Phpwiki-talk] Important UpLoad security fix! was [Fwd: [phpwiki - Open Discussion] RE: upload secu

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Please all disable the UpLoad plugin or add the attached patch for an
important security fix.
Somebody is actually breaking in some wiki servers with uploading files
like "deface.php.3" which apache interestingly treats as php.

- if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) .
")\$/",
+ if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) .
")(\.|\$)/",

With this fix it goes:

"ERROR uploading 'passdecrypt.php.3':

Files with extension ad[ep], asd, ba[st], chm, cmd, com, cgi, cpl, crt,
dll, eml, exe, hlp, hta, in[fs], isp, jse?, lnk, md[betw], ms[cipt],
nws, ocx, ops, pcd, p[ir]f, php, pl, py, reg, sc[frt], sh[bsm]?, swf,
url, vb[esx]?, vxd, ws[cfh] are not allowed."

See https://sourceforge.net/forum/message.php?msg_id=4249177 and thanks 
to hhallikainen for reporting this after going through the pain for 
having a hacker abusing this.

[Phpwiki-talk] Important UpLoad security fix! was [Fwd: [phpwiki - Open Discussion] RE: upload secu

[Phpwiki-talk] Important UpLoad security fix! was [Fwd: [phpwiki - Open Discussion] RE: upload security risk]