Menu

#156 UpLoad security patch

closed
Reini Urban
None
9
2012-10-11
2007-04-08
Reini Urban
No

Please all disable the UpLoad plugin or add the attached patch for an important security fix.
Somebody is actually breaking in some wiki servers with uploading files like "deface.php.3" which apache interestingly treats as php.

All versions of this plugin are affected.

  • if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
    ")\$/",
  • if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
    ")(.|\$)/",

With this fix it goes:

"ERROR uploading 'passdecrypt.php.3':

Files with extension ad[ep], asd, ba[st], chm, cmd, com, cgi, cpl, crt,
dll, eml, exe, hlp, hta, in[fs], isp, jse?, lnk, md[betw], ms[cipt],
nws, ocx, ops, pcd, p[ir]f, php, pl, py, reg, sc[frt], sh[bsm]?, swf,
url, vb[esx]?, vxd, ws[cfh] are not allowed."

See https://sourceforge.net/forum/message.php?msg_id=4249177 and thanks to hhallikainen for reporting this after going through the pain for having a hacker abusing this.

Discussion

  • Reini Urban

    Reini Urban - 2007-04-08
     
    UpLoad.patch

  • Reini Urban

    Reini Urban - 2007-06-07

    Logged In: YES
    user_id=13755
    Originator: YES

    is in 1.3.13

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.