CELERONDUDE`S UPLOADER SCRIPT - Read !!

[kektex]

I know many people here on the boards use it so a heads up for those using celerondude`s uploader script, it has a pretty serious security hole:

Running uploaderv5 or other uploading scripts? There's a bug with apache that will allow RAR files (and other file types that Apache does not recognize, RAR just happens to be one of the common file types that admins allow users to upload and Apache doesn't recognize.) to allow users to upload and execute php scripts on your server.

READ HERE for more info and solution.

 

[kektex]

Quick bump in case someone hasn`t read this...it`s pretty serious and I know many people here use this script.

 

[LeeRyder]

kektex forgot to also add the fix for this. for what reasons I dont know, even though its part of the same wording he quoted from:

I case the thread is deleted, basically if you allow users to upload files with extension XXX where Apache doesn't know what file type XXX is and the file is named hack.php.XXX, then Apache will think the file is a PHP script. Fix? Here:
Add this to .htaccess in your userfiles/incoming directory. If it doesn't exists, create it by opening notepad, paste this, save as ".htaccess", upload.

# No php in this directory!
RemoveType php
# The above is probably enough, but just in case
<IfModule mod_php4.c>
php_flag engine 0
</IfModule>
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
# GET requests only
<LimitExcept GET>
Order Allow,Deny
</LimitExcept>

CDude is always on top

 

[kektex]

kektex forgot to also add the fix for this. for what reasons I dont know, even though its part of the same wording he quoted from:

No suspicious reason, I added the link to the fix on the original post so people could visit the site and read the whole story including the fix...