#156 UpLoad security patch

closed
None
9
2012-10-11
2007-04-08
Reini Urban
No

Please all disable the UpLoad plugin or add the attached patch for an important security fix.
Somebody is actually breaking in some wiki servers with uploading files like "deface.php.3" which apache interestingly treats as php.

All versions of this plugin are affected.

  • if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
    ")\$/",
  • if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
    ")(.|\$)/",

With this fix it goes:

"ERROR uploading 'passdecrypt.php.3':

Files with extension ad[ep], asd, ba[st], chm, cmd, com, cgi, cpl, crt,
dll, eml, exe, hlp, hta, in[fs], isp, jse?, lnk, md[betw], ms[cipt],
nws, ocx, ops, pcd, p[ir]f, php, pl, py, reg, sc[frt], sh[bsm]?, swf,
url, vb[esx]?, vxd, ws[cfh] are not allowed."

See https://sourceforge.net/forum/message.php?msg_id=4249177 and thanks to hhallikainen for reporting this after going through the pain for having a hacker abusing this.

Discussion

  • Reini Urban

    Reini Urban - 2007-04-08
     
  • Reini Urban

    Reini Urban - 2007-06-07

    Logged In: YES
    user_id=13755
    Originator: YES

    is in 1.3.13

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks