AW: phpWebSite-0.10.0_exploit
webmaster_at_clueless-design.de
Date: 02/25/05
- Previous message: David Moore: "CFP: WORM 2005"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com, tjomka@navigator.lv Date: Fri, 25 Feb 2005 13:52:41 +0100
actually this bug seems to be fixed long time ago by adding following code
to the EZform.php
----
if (is_null($allowedImages) || !is_array($allowedImages)) {
include(PHPWS_SOURCE_DIR.'conf/allowedImageTypes.php');
$allowedImages = $allowedImageTypes;
}
$fileTypes = implode(", ", $allowedImages);
if (!in_array($_FILES[$postVar]["type"], $allowedImages)){
$error = new PHPWS_Error("EZform", "saveImage", "Submitted image
must be $fileTypes file.");
return $error;
}
----
code of the allowedImageTypes.php
----
<?php
/* Image types which are allowed to be uploaded via phpwebsite modules */
/* Added 12/03/2003 (might not be implemented in all modules yet */
$allowedImageTypes = array("image/jpeg",
"image/jpg",
"image/pjpeg",
"image/png",
"image/x-png",
"image/gif",
"image/wbmp");
?>
----
--- Ursprüngliche Nachricht ---
Datum: 24.02.2005 23:16
Von: tjomka <tjomka@navigator.lv>
An: bugtraq@securityfocus.com
Betreff: phpWebSite-0.10.0_exploit
> phpWebSite-0.10.0_exploit
>
- Previous message: David Moore: "CFP: WORM 2005"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
