Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: Coppermine-driven galleries hit by RAR exploit  (Read 59817 times)

0 Members and 1 Guest are viewing this topic.

AndrewRH

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 23
    • The Reeves-Hall Family
Re: Coppermine-driven galleries hit by RAR exploit
« Reply #20 on: December 01, 2006, 11:47:21 am »

I followed the suggestion to contact my ISP regarding this vulnerability.   After convincing them it was not a purely Coppermine issue (prior to 1.4.6), this is what they had to say:

>You're correct in stating that files with the .php.rar extension are
>parsed as PHP files, and that your sites visitors can upload such files
>to your webspace through a script, and have these files executed as PHP.
>
>This is not a vulnerability on our part. If you allow users to upload
>files via a script, they can also upload regular .php files as well and
>have them executed. Furthermore, you can control the MIME types of your
>files via a .htaccess file to prevent this..
Logged
~Andrew~

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Coppermine-driven galleries hit by RAR exploit
« Reply #21 on: December 02, 2006, 08:07:41 am »

This has long been fixed, do as we suggest and upgrade. It doesn't make sense to argue about outdated versions. Locking.
Logged
Pages: 1 [2]   Go Up
 

Page created in 0.013 seconds with 20 queries.