[pLog-svn] Critical: security issue
Jon Daley
jon at limedaley.com
Sat Mar 29 10:31:54 EDT 2008
You should disable locale uploading on your sites if you don't
trust your users. I just saw this on one of my customers' sites. He is
running the latest version. This PHP script was uploaded and then
externally run.
/home/chemblogs/www/locale/admin/.svn/props/secure.PHP
We probably need an .htaccess rule to disable all PHP outside of
the root. And maybe we should take more seriously the thought about making
it easier to have files outside of the web space. Some of it is a pain -
ie. moving the tmp or plugins directory causes some things to fail.
I'll look into this more and see how it goes.
--
Jon Daley
http://jon.limedaley.com/
Sometimes being smart is a handicap.
Smart people are often too smart to take advice from others.
-- Al Ries
More information about the pLog-svn
mailing list