News:

CPG Release 1.6.29
During HTML5 upload, keep pseudo blank code 200 messages from triggering error condition
added Russian language
correct failure to use theme menu icons in album manager
minor vulnerabilities mitigation

Main Menu

Coppermine-driven galleries hit by RAR exploit

Started by Joachim Müller, May 15, 2006, 10:21:10 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

AndrewRH

#20
December 01, 2006, 11:47:21 AM
I followed the suggestion to contact my ISP regarding this vulnerability.   After convincing them it was not a purely Coppermine issue (prior to 1.4.6), this is what they had to say:

>You're correct in stating that files with the .php.rar extension are
>parsed as PHP files, and that your sites visitors can upload such files
>to your webspace through a script, and have these files executed as PHP.
>
>This is not a vulnerability on our part. If you allow users to upload
>files via a script, they can also upload regular .php files as well and
>have them executed. Furthermore, you can control the MIME types of your
>files via a .htaccess file to prevent this..
~Andrew~

Joachim Müller

#21
December 02, 2006, 08:07:41 AM
This has long been fixed, do as we suggest and upgrade. It doesn't make sense to argue about outdated versions. Locking.
Print
Go Up Pages 1 2
User actions