Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: Prenting File Types  (Read 21375 times)

0 Members and 1 Guest are viewing this topic.

Nibbler

  • Guest
Re: Prenting File Types
« Reply #20 on: March 22, 2006, 10:05:20 pm »

Read the link I gave you earlier. That contains code to stop .rar files being treated as php scripts by apache.
Logged

keith10456

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 35
    • http://www.morrisania.com
Re: Prenting File Types
« Reply #21 on: March 22, 2006, 11:02:40 pm »

Got... Sent it to my host.

Many thanks!

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Prenting File Types
« Reply #22 on: March 23, 2006, 09:29:42 am »

ask your webhost to fix his server - the attacker used a vulnerability that exists on Apache webserver setups that aren't hardened against such attacks. Regular servers aren't meant to parse files with the extension ".rar" with the PHP processor. Your server is configured improperly - it doesn't treat ".rar" files and document files, but parses PHP included in it. By not allowing the upload of .rar files using coppermine, you just keep future attackers from exploting the server setup glitch. However, you haven't cured the webserver itself. The attacker might have used the security flaw to create backdoors on your server that allows him to enter later (even after having fixed everything), so it's mandatory to scan the server for those backdoors as suggested. It's mandatory as well that your webhost fixes the server setup vulnerability. Contact them asap, asking them to do as advised here. You're welcome to make your webhost visit this thread and the other one Nibbler refered to - they should know what to do then. I'm convinced they will, as the said vulnerability will not only have an impact on your domain, but on the accounts of other website owners who are hosted on the same server.
Logged
Pages: 1 [2]   Go Up
 

Page created in 0.016 seconds with 21 queries.