Open exoticpenguin opened 4 years ago
Hey @CuteNews why aren't you guys responding to this :( ??? I love the system but looks like nobody take care of that anymore and actually your forum is full of spam.
It seems that this project is no longer under development. The last commit was in 2018 and the developer @CuteNews hasn't posted anything on the forum for ages. Unless you don't need guest users (I don't), better switch to something else :-(
I just submitted a PR with mitigation patch for this. While not a complete fix, it does make it MUCH harder for an attacker to exploit. The full fix is to stick a .htaccess file in the uploads directory that uses ForceType to disable script execution. You could also use the "engine off" trick, but that only disables PHP, not other languages.
--Arek75
Are there any plans to fix the remote code execution vulnerability in 2.1.2 described in
http://52.42.148.182/cve/CVE-2019-11447/
????