Security issue, please make the following change

[jondaley]

This security issue affects any 1.2.x of LifeType prior to 1.2.7 AND allow resource uploads AND has untrusted users with upload access AND are not using encoded filenames.

The forbidden_upload variable is checked in a case-sensitive manner, which means that capitalized extensions are not blocked using the default settings.

The safest setting is to turn off resource uploads until 1.2.7 can be verified and released.

Next safest is to configure upload_allowed_files to the list of files you want to allow. This setting is also case-sensitive, so you might want to use:

*.jpg *.JPG *.png *.PNG *.gif *.GIF *.bmp *.BMP

Next safest is to configure your upload_forbidden_files with all versions of capitalized extensions. Note, that this method is kind of hard, since you would need to check *.pHp *.pHP etc.

I have not tested this exploit on many systems, so it is possible that your server is not affected by this (say, if test.PHP doesn't actually execute, but simply shows the contents of the file). If your server allows capitalized PHP files to run, you should check your apache logs to see if a hacker uploaded a file into your gallery. Note, that it isn't enough to only check your filesystem for the presence of these files, since the script might have been moved later.

[jondaley]

Note that if you are on the subversion 1.2 development branch, this problem is fixed at least on my server. Please test it if you can and let me know if it looks good on your system as well.

[jondaley]

We have verified that Apache uses case insensitive matching in the AddType and SetHandler methods, so *.PHP will be executable on your server. However, the <Files *.php> entry in the gallery .htaccess is parsed in a case-sensitive manner.

http://bugs.lifetype.net/view.php?id=1477

[jondaley]

1.2.7 has been tested and released. See the official announcement here.

[thestroller]

Hello Jon,

Can you show which files were modified to fix this error? Because I need more time to upgrade to 1.2.7 version. I have put your .htaccess to the gallery folder but there is no change. Everyone can execute the PHP file when click the "Download Link".

Thank you
Mai Minh

[jondaley]

The easiest way would be to set upload_allowed_files.

I think this is a good list. You should probably check the upgrade.zip file and see if I missed anything.
M /plog/branches/lifetype-1.2/class/data/validator/uploadvalidator.class.php
M /plog/branches/lifetype-1.2/class/misc/glob.class.php
M /plog/branches/lifetype-1.2/class/misc/integritychecker.class.php

[thestroller]

Hello Jon,
Thanks for your reply. But I found out there are too much extensions must be added to the allow list. So I had upgraded to the LT 1.2.7 version.

And I get same error with some one in the forum (cannot login with user 'admin'). Then I remove the 'admin' from the 'not allowed username list' and now I can login with 'admin'.

Thank you

[jondaley]

Hrm, I see that admin is on the list by default. I am not sure what to do about that. I guess the first thing is to make sure that new installations can't use the name admin and get themselves into the same place as you. If it correctly blocks it during the installation, I am not sure if there is anything to do - other than those folks with admin/www/etc usernames just have to deal with it during this upgrade.