Hi,
I have cpg1.4.4 and some could upload a script file with extension name: php.rar, using this file he could get all necessary information from my server including /etc/passwd file. How can we prevent users from uploading such file with extension (RAR) and why disabling users from uploading files is not active?
This the script file that was uploaded to my server:
http://rst.void.ru/download/r57shell.txt
If you don't need .rar files uploaded then disallow them in config or with the filetypes plugin. If you do need to allow them then you need to ensure your server is setup to handle them.
http://forum.coppermine-gallery.net/index.php?topic=28079.msg129981#msg129981
Quote from: Nibbler on March 12, 2006, 09:26:28 PM
If you don't need .rar files uploaded then disallow them in config or with the filetypes plugin. If you do need to allow them then you need to ensure your server is setup to handle them.
http://forum.coppermine-gallery.net/index.php?topic=28079.msg129981#msg129981
I got a notice today, 19-Nov-07 from my hosting company of the same "http://nst.void.ru/" happening to my site. I (hopefully) found all of their files, deleted them, posted the warning here, and will ask my host to re-open my subdirectory.
P.S., When visiting that website you can see the hack there, and others available.
You must keep your gallery up to date.
Locking.