look: this is a
webserver vulnerability issue that will affect
all applications that have the capability to upload files to the server. It is
not a coppermine issue, so there can't be a true fix in Coppermine's core code nor the config. Instead, the
webserver needs fixing: your webhost is suppossed to set up your webserver in a way that doesn't allow PHP files to pose as rar files - files having the rar extension are not suppossed to be parsed by the PHP processor!
The form field "
Allowed image types" does not affect the capability of users to upload rar files, so there's little use in changing it from "ALL" to anything else. The field "
Allowed document types" is the place you're suppossed to edit (as suggested in the docs): clear the field, or explicitely specify the extensions that are allowed (e.g. "doc"). Please understand that this is a
workaround we have come up with to help users close a security hole that exists
on their server (I repeat: not in Coppermine).
Imo your webhost is not very concerned about security issues if they send an email around that tells users to patch their apps against a vulnerability that shouldn't exist in the first place and that
they have the duty to fix.
The reason for the release of cpg1.4.5 as a maintenance release that patches security issues is
not the rar vulnerability, but the imei bug that allows a directory traversal attack.
Suggested solution: make sure that you have "Allowed document types" configured properly in Coppermine's config as a "first aid" measure. Then contact your webhost and demand that they patch their webserver properly.
Joachim