"Michaelo";p="14539" wrote:One of us is confused...
Before you can upload a file you either need ftp access or as a member you upload a file of allowed types (.gif, .png etc.).
I was under the assumption that the scripts already contain this input validation. Then if not, you're saying that in addition to an avatar or a photogallery image, I can upload .pl, .tlc, .c etc? Because these are the files that I find in these directories. A filter for .pl, .tlc, .zip, .tgz, and .c would definitely be in order, because these are the file extensions the hackers are uploading.
There is no other way for a hacker to put a file on a server assuming they havent hack another site on the server in which case they may be able to cross contaminateà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
I'm not sure about this. I've seen it where one can put fget(), wget, or fput() commands into the URI.. but since we have phpbb_security installed that should stop that unless of course hackers have discovered a workaround.
To hack a site first you need a way in, to accomplish this you need to find a vulnerable point an exploit it, as with the recent hacks. The hackers used a remote file/script via the php_root_path weakness to execute a remote script allowing them accessà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ Once they gained access they proceeded to either upload files to gain control of the site or, as in most cases simply used a remote script hack tool to do thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
agreed
I have examined the possibility of restricting upload directories to only accept certain file such as images or zips in an effort to counter the cross contamination problemà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ more later on thisà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
Great! Can't wait to see what you have. <img>