Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: Coppermine-driven galleries hit by RAR exploit  (Read 66540 times)

0 Members and 1 Guest are viewing this topic.

AndrewRH

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 23
    • The Reeves-Hall Family
Re: Coppermine-driven galleries hit by RAR exploit
« Reply #20 on: December 01, 2006, 11:47:21 am »

I followed the suggestion to contact my ISP regarding this vulnerability.   After convincing them it was not a purely Coppermine issue (prior to 1.4.6), this is what they had to say:

>You're correct in stating that files with the .php.rar extension are
>parsed as PHP files, and that your sites visitors can upload such files
>to your webspace through a script, and have these files executed as PHP.
>
>This is not a vulnerability on our part. If you allow users to upload
>files via a script, they can also upload regular .php files as well and
>have them executed. Furthermore, you can control the MIME types of your
>files via a .htaccess file to prevent this..
Logged
~Andrew~

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Coppermine-driven galleries hit by RAR exploit
« Reply #21 on: December 02, 2006, 08:07:41 am »

This has long been fixed, do as we suggest and upgrade. It doesn't make sense to argue about outdated versions. Locking.
Logged
Pages: 1 [2]   Go Up
 

Page created in 0.014 seconds with 20 queries.