SMF 2.1 RC4 has been released! Try it out and help us test! Read more.
Started by vHawkeyev, May 01, 2009, 10:47:02 AM
Quote from: rthrash on May 11, 2009, 11:17:17 AM1.1.8 definitely still has some vulnerability regarding themes/avatars: http://www.simplemachines.org/community/index.php?topic=309741.0Any ideas if this has been fixed in the 2.0 RC, or what the specific bug that allows this to happen is? This really deserves an update pronto.Off to deploy the Stop Spammer mod.
Quote from: JBlaze™ on May 11, 2009, 11:19:47 AMThis is an unofficial fix to this hack until an official patch comes outhttp://www.simplemachines.org/community/index.php?topic=309717.0
Quote from: rthrash on May 11, 2009, 11:49:38 AMThanks for your feedback JBlaze™. Much appreciated and prompt.
Quote from: rthrash on May 11, 2009, 02:47:35 PMI can say that the Stop Spammer add-on is really great indeed. It would have saved us all sorts of grief. Had to manually install it due to how locked down we have things right now but very pleased with what it's doing.Just to confirm though, the install2.xxx bits are for SMF 2.0, correct? That's not totally clear from any instructions and the manual install instructions aren't parsing on the add-on site for version 1.1.8.
# secure directory by disabling script executionAddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGIOrder Allow,DenyDeny from all<Files ~ "\.(jpeg|jpg|png|gif)$">Allow from all</Files>
Quote from: GamingTrend on May 12, 2009, 03:01:24 PMSo I overwrote all but the settings file for SMF Forums 1.8 and I'm still getting code injection. I'm just not sure where to look at this point...help?
grep "<?php" attachments/*