About the security hole of class XoopsMediaUploader
Date 2005-03-09 18:50:53 | Category: XOOPS
|
A security hole is reported in xoops.org
But, it is just a well-known hole.
JM2 -the real HERO- reported it to dev.xoops.org April 2004.
After the post, I and Catzwolf argued about it.
Since I thought it is a serious hole, myAlbum-P which used XoopsMediaUploader uses MyXoopsMediaUploader (= secure XoopsMediaUploader).
myAlbum-P and ImageManagerIntegration users, set your mind at ease 
I've already fixed it as 2.70 in 5th April 2004.
(If you use myAlbum-P <= 2.6x, you should update right now)
Of course, Protector can protect attacks using this hole.
That's because it's a well-known hole.
But I've just found a typo in the code against such attacks.
Protector users, you should update immediately Protector >= 2.37.
With Protector >= 2.37, you can enable custom avatars or imagemanager of the core, I believe.
Protector also protects some combination attacks
-camouflaged mime-type
-.gif extension (or the other image extension)
-CSRF
Don't turn "patch for 2.0.9.2" off as long as you don't use ORETEKI.
|
|