#156 UpLoad security patch
Please all disable the UpLoad plugin or add the attached patch for an important security fix.
Somebody is actually breaking in some wiki servers with uploading files like "deface.php.3" which apache interestingly treats as php.
All versions of this plugin are affected.
- if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
")\$/", - if (preg_match("/(." . join("|.", $this->disallowed_extensions) .
")(.|\$)/",
With this fix it goes:
"ERROR uploading 'passdecrypt.php.3':
Files with extension ad[ep], asd, ba[st], chm, cmd, com, cgi, cpl, crt,
dll, eml, exe, hlp, hta, in[fs], isp, jse?, lnk, md[betw], ms[cipt],
nws, ocx, ops, pcd, p[ir]f, php, pl, py, reg, sc[frt], sh[bsm]?, swf,
url, vb[esx]?, vxd, ws[cfh] are not allowed."
See https://sourceforge.net/forum/message.php?msg_id=4249177 and thanks to hhallikainen for reporting this after going through the pain for having a hacker abusing this.
