Print

[Dead J. Dona]

ly.php.rar     

try to search by this file. Is this CG or PHP hole?? 

[Abbas Ali]

neither cpg nor php....its apahce (web server).

Search the board. This issue has been discussed many times.

[Dead J. Dona]

oops, i can't find anything here
i mean THIS filename never used in forum.
please give me a link or two....

[Joachim Müller]

http://forum.coppermine-gallery.net/index.php?action=search2;search=rar%20vulnerability

[Dead J. Dona]

thank you!!!

but there's some kind of problem.

when using /aaa.php.lalala filename it also run as php script. PHP Version 4.4.2
maybe theres some PHP or apache guru can help me???

[Tranz]

Something Nibbler suggested was to put the following in .htaccess:

Code: [Select]

AddHandler application/x-rar .rar
But I dunno about your particular case...

[Joachim Müller]

ask your webhost to fix their webserver setup, as suggested here: Coppermine-driven galleries hit by RAR exploit

[Abbas Ali]

when using /aaa.php.lalala filename it also run as php script. PHP Version 4.4.2

Then your web server is badly configured.

[Dead J. Dona]

Allowed document types
"ALL" will result in all allowable document file types to be uploaded. If you want to restrict the allowable file types to certain extensions only, enter a slash-separated list of extensions, e.g. txt/pdf.

Note that being able to browse a document file requires the cpg-user to have a compatible software installed and configured properly on their computer that is capable of displaying the type of document in question, e.g. if you allow the file type xls, users who wish to browse the file will need to have an application installed on their computer that can display MS-Excel sheets. Be extremely careful with document that are known to be vulnerable to virus contamination, embedded or as macros. This is especially true if you plan to allow users the capability of uploading documents without admin approval.

Warning: if your webserver is not hardened against an exploit of a vulnerability in the apache webserver setup, then it might be a security risk to allow the upload of rar-files. If you're not sure, do not allow this file type.

What should I put here to disable ALL documents upload? NONE, NIL, NOTHING, or just left blank?

[Dead J. Dona]

Then your web server is badly configured.

Can you tell me what must be changed?

[Nibbler]

Any of those will work, but blank is probably the best option.

[Joachim Müller]

did you read the thread I refered to earlier:

ask your webhost to fix their webserver setup, as suggested here: Coppermine-driven galleries hit by RAR exploit

You're just doing what you're not suppossed to: you're doctoring the symptoms (fiddling with Coppermine settings). Instead, do as suggested and cure the reason for all of your troubles: make your webhost fix their webserver setup asap. Coppermine is not the reason for the issues you have, it's silly webserver setup.