Please all disable the UpLoad plugin or add the attached patch for an
important security fix.
Somebody is actually breaking in some wiki servers with uploading files
like "deface.php.3" which apache interestingly treats as php.
- if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) .
")\$/",
+ if (preg_match("/(\." . join("|\.", $this->disallowed_extensions) .
")(\.|\$)/",
With this fix it goes:
"ERROR uploading 'passdecrypt.php.3':
Files with extension ad[ep], asd, ba[st], chm, cmd, com, cgi, cpl, crt,
dll, eml, exe, hlp, hta, in[fs], isp, jse?, lnk, md[betw], ms[cipt],
nws, ocx, ops, pcd, p[ir]f, php, pl, py, reg, sc[frt], sh[bsm]?, swf,
url, vb[esx]?, vxd, ws[cfh] are not allowed."
See https://sourceforge.net/forum/message.php?msg_id=4249177 and thanks
to hhallikainen for reporting this after going through the pain for
having a hacker abusing this.
|
