Closed GoogleCodeExporter closed 8 years ago
This isn't ClipBucket specific, but if you look at
http://sourceforge.net/p/clipbucket/code/HEAD/tree/trunk/upload/admin_area/chart
s/ofc-library/ofc_upload_image.php you'll see that this has no file mime or
content validation at all, which allows for scripts to be executed. I have
added a temporary rule to our servers until this is fixed that should
effectively block the exploit.
SecRule REQUEST_BASENAME "@streq ofc_upload_image.php" \
"phase:1,rev:'2',id:'958978',deny,log,auditlog,status:403,msg:'OpenFlashChart Image upload script attempt - JIT patch'"
Original comment by z...@pacifichost.com
on 23 Sep 2013 at 7:23
Good to know, i don't use apache, so i chmoded this script for the moment.
Original comment by bru...@agro.uba.ar
on 2 Oct 2013 at 6:32
removed from cb source.
Original comment by arslan...@gmail.com
on 24 Feb 2015 at 9:53
removed from cb source.
Original comment by arslan...@gmail.com
on 24 Feb 2015 at 9:53
Original issue reported on code.google.com by
bru...@agro.uba.ar
on 6 Sep 2013 at 1:49