]]>
Error! Could not query portal menus information: blocks/block_menus.php, line 59
I can no longer use the site with IE & FireFox, every URL I click takes me back to the error message.
I have to manually delete the site cookie so i don't get the message anymore...
Statistics: Posted Author: Blue-Blood — Wed Dec 30, 2009 11:14 pm
]]>
"IceWind" wrote:
No worries i got the point.
Thing is disabling uploads would create a big impact on the forum. Due to it's nature the album section is one of the most used. Also the downloads area not so much but quite helpfull, specially the screenshots as most of the uploaded downloads are plans in CAD files and a image screenshot is the best to prevent you from downloading stuff that in the end it's not helpfull.
For now i follow the links provided and disable the script execution in all the upload target folders, and i think that will help alot. But this still not prevents the script file from be uploaded and that concerns me a bit.
I was trying to secure the process a bit more in the end if I'm not satisfied I will eventually disable the upload area for example like you say.
No worries i got the point.
Thing is disabling uploads would create a big impact on the forum. Due to it's nature the album section is one of the most used. Also the downloads area not so much but quite helpfull, specially the screenshots as most of the uploaded downloads are plans in CAD files and a image screenshot is the best to prevent you from downloading stuff that in the end it's not helpfull.
For now i follow the links provided and disable the script execution in all the upload target folders, and i think that will help alot. But this still not prevents the script file from be uploaded and that concerns me a bit.
I was trying to secure the process a bit more in the end if I'm not satisfied I will eventually disable the upload area for example like you say.
Ah ok, I see your point. Yeah do as Helterskelter has suggested and all should be good to go.
Statistics: Posted Author: DjPorkchop — Sun Jan 04, 2009 1:21 pm
]]>
"IceWind" wrote:
I was trying to follow the code used to upload the files but it's not easy to get at first try.
Cand someone give me a tip on where can i find the part where it uploads the file? I was planning to ad a mim-type check there and only let pass image types.
It's now 100% secure but it's a start...
Thanks.
I was trying to follow the code used to upload the files but it's not easy to get at first try.
Cand someone give me a tip on where can i find the part where it uploads the file? I was planning to ad a mim-type check there and only let pass image types.
It's now 100% secure but it's a start...
Thanks.
the problem with this is that most php files are uploaded as gif images then changed to php.
You can put this in your htaccess files in
album_mod/upload/
pafiledb/uploads/
pafiledb/images/screenshots/
# no reasion any code should be able to run in this folder!AddHandler cgi-script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI
this wont stop users from uploading gifs and changing them to php, but it will make the file not executable.
Statistics: Posted Author: Helter — Sat Jan 03, 2009 12:13 pm
]]>
For now i follow the links provided and disable the script execution in all the upload target folders, and i think that will help alot. But this still not prevents the script file from be uploaded and that concerns me a bit.
I was trying to secure the process a bit more in the end if I'm not satisfied I will eventually disable the upload area for example like you say.
Statistics: Posted Author: IceWind — Sat Jan 03, 2009 5:56 am
]]>
I have turned off user uploads on my site and cmod the screenshots folder to 755 due to the fact that really, no one on my site will upload any files anyway, nor do they have a reason to. That stopped the problem instantly on my site.
Statistics: Posted Author: DjPorkchop — Fri Jan 02, 2009 2:15 pm
]]>
Cand someone give me a tip on where can i find the part where it uploads the file? I was planning to ad a mim-type check there and only let pass image types.
It's now 100% secure but it's a start...
Thanks.
Statistics: Posted Author: IceWind — Fri Jan 02, 2009 9:03 am
]]>
Just for fun i changed the .php script that was uploaded for another that logs the ip's and the access times! And the b****** already went there twice.
Statistics: Posted Author: IceWind — Wed Dec 31, 2008 12:15 pm
]]>
Well, I'm not glad for anyone that this happens, it was just a reminder to us all <img>
Statistics: Posted Author: DjPorkchop — Wed Dec 31, 2008 9:02 am
]]>
Thanks for the help, i was searching for this but i got nothing specific.
I was about to go check the upload code to see if i could fit a file content check.
Thanks I'm going to check the information provided.
Statistics: Posted Author: IceWind — Wed Dec 31, 2008 8:17 am
]]>
http://integramod.com/forum/viewtopic.p ... hta#p29088
Statistics: Posted Author: DjPorkchop — Wed Dec 31, 2008 7:59 am
]]>
Let me take a wild guess and say that the file is being uploaded to pafile_db/images/screenshots
You can, for now, chmod that screenshots file to 644. What this will do is not allow anyone to upload to that file at all. If you are not worried about having screenshots of what ever it is you are offering for a download then problem solved.
Let me go search for that other thread real fast on the hta file fix. I'll brb
Statistics: Posted Author: DjPorkchop — Wed Dec 31, 2008 7:55 am
]]>
I'm running Im 1.4.1 and using ctracker.
And someone was able by using the downloads section to upload a .php file and execute it.
I noticed in that section settings that it should block the .php, php3 and so one... but still it keeps accepting and uploading them.
Is there a fix for this?
Thanks.
Statistics: Posted Author: IceWind — Wed Dec 31, 2008 7:31 am
]]>
Just wasn't sure if you knew.
Statistics: Posted Author: .QUACK.Major.Pain — Mon Dec 01, 2008 4:15 pm
]]>
]]>