| Php photo gallery TWG | JFUploader | TWG Flash upload | WFU | Forum https://www.tinywebgallery.com/forum/ |
|
| Remote file upload vulnerability https://www.tinywebgallery.com/forum/viewtopic.php?f=13&t=3128 |
Page 1 of 1 |
| Author: | john1986 [ 18. Oct 2011, 09:34 ] |
| Post subject: | Remote file upload vulnerability |
There is no mention of a security update that fixes the remote file upload exploit in JFUploader. When will this be patched? Details: http://xforce.iss.net/xforce/xfdb/62897 http://www.exploit-db.com/exploits/15353/ |
|
| Author: | TinyWebGallery [ 18. Oct 2011, 13:23 ] |
| Post subject: | Re: Remote file upload vulnerability |
It is already implemented a detection of this since now almost 10 months! this was part of JFU 2.12 $remove_multiple_php_extension = true; // Some servers execute e.g. file.php.gif files which is a security issue. If you don't allow php files to upload please leave this to true because of security reasons. $scan_images = true; // Scans images (gif,png,jpg) for php code. This is done by default when no size could be detected. By setting this to true all files are scanned because there are gif exploits around that returns valid sizes! And this is only a problem if your sever is configured to handle multiple extensions like .php.gif files as php code which is normally not enabled by default! But as I have written. Since 2.12 this is no issue anymore... Best, Michael |
|
| Page 1 of 1 | All times are UTC + 1 hour [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|