Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

uploads was forced set 777 in Setup,and fileupload did not filter fake suffix files.eg. exe.php.jpg

uploads was forced set 777 in Setup,and fileupload did not filter fake suffix files.eg. exe.php to exe.jpg
I rename a test.php to test.jpg and the file successed uploaded

I think there might be some security leak...

This official forums has the same problem as well :(

Comments

  • I don't get your point. You have to get an executable to execute. If you rename the file unless you there is something running

    $ php yourfile

    which is highly unlikely, nothign will happen. Most servers are not configured to run jpg and php.

    Decent operating systems don't even run anything without executable bit set, which is basically most servers OS.

    The only reason for for having this provision, is so people don't accidentally download an run something. You could always zip pretty much any format.

    Your file permissions are in your hands (except for cheap webhosts boo). if you don't want script to set permissions don't let it.

    grep is your friend.

Sign In or Register to comment.