lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1D4exV-0004Eo-00@www.strato-webmail.de>
Date: Fri, 25 Feb 2005 13:52:41 +0100
From: webmaster@...eless-design.de
To: bugtraq@...urityfocus.com, tjomka@...igator.lv
Subject: AW: phpWebSite-0.10.0_exploit


actually this bug seems to be fixed long time ago by adding following code
to the EZform.php
----
    if (is_null($allowedImages) || !is_array($allowedImages)) {
      include(PHPWS_SOURCE_DIR.'conf/allowedImageTypes.php');
      $allowedImages = $allowedImageTypes;
    }

    $fileTypes = implode(", ", $allowedImages);

    if (!in_array($_FILES[$postVar]["type"], $allowedImages)){
      $error = new PHPWS_Error("EZform", "saveImage", "Submitted image
must be $fileTypes file.");
      return $error;
    }
----

code of the allowedImageTypes.php
----

<?php

/* Image types which are allowed to be uploaded via phpwebsite modules */
/* Added 12/03/2003 (might not be implemented in all modules yet */

$allowedImageTypes = array("image/jpeg",
			   "image/jpg",
			   "image/pjpeg",
			   "image/png",
			   "image/x-png",
			   "image/gif",
			   "image/wbmp");

?>
----

 --- Ursprüngliche Nachricht --- 
Datum: 24.02.2005 23:16
Von: tjomka <tjomka@...igator.lv>
An: bugtraq@...urityfocus.com
Betreff: phpWebSite-0.10.0_exploit
  
> phpWebSite-0.10.0_exploit
> 




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ