Is 1.2.5 safe on Apache server with multiple extensions feature?

[Augustas]

I have noticed that earlier vulnerable file "/modules/FileManager/postlet/javaUpload.php" in the newest CMSMS release (1.2.5) was simply renamed to "javaUpload.php.txt".

I have not checked in detailss how the latest security hole was fixed, but I would like to notice that the Apache servers, where multiple extensions feature is activated (e.g. on host providers like icdsoft, lunarpages), the "javaUpload.php.txt" file might still be executed by PHP parser.

Would be nice if CMSMS developers could confirm that servers with "multiple extensions feature" have no risk using the latest CMSMS release.

PS: If you would like to know if multiple extensions are active on your webhost, simply enter the address of mentioned file inside the browser:
http://www.your-domain.com/modules/File ... ad.php.txt
The answer is YES, if the output is something like this:

Code: Select all

POSTLET REPLY
POSTLET:NO
POSTLET:TOO LARGE
POSTLET:ABORT THIS
END POSTLET REPLY

PPS: My website was also hacked, as I did not manage to upgrade CMSMS in time. brrrrr  would not like it to be repeated...

[Pierre M.]

Is destroying (rather than renaming) this "javaUpload.php*" a workaround ?

Pierre M.

[calguy1000]

yeah, you can safely nuke all of those files

However, I don't have them on my install... not sure why, maybe I nuked them or something.

[Ziggywigged]

Calguy, can you be specific as to which files we can safely delete from the modules/FileManager/postlet folder?

Is it the 2 files:
index.html.txt
javaUpload.php.txt

Thanks.

[calguy1000]

Yeah, and the uploadTest.html file

[cyberman]

I have not checked in detailss how the latest security hole was fixed, but I would like to notice that the Apache servers, where multiple extensions feature is activated (e.g. on host providers like icdsoft, lunarpages),

Please read this too

http://wiki.cmsmadesimple.org/index.php ... mall_Guide

It contains also a Apache section ...