IntegraMOD

[computerz]

It appeas that the avatar upload and photogallery upload as well as the folders for dbbackup and cache have to be chmod to 777 in order for their respective scripts to work (extreme styles for the latter /cache directory).

However, this allows the hacker to offload Perl scripts into these folders, some of which are eggdrop IRC bots, and then assume super user priviledges to the entire server and thereby hack the site. This doesn't appear to be isolated to just the style selector, as I've been hacked 6 times in the last month, where it only occurs when I chmod the following folders to 777[list type=decimal][*] album_mod/upload [*] images/avatars/ [*] (optionally) cache [/list]

And if dont configure these with 777, then the script doesn't work.

Has anyone thought of and/or realized this glaring security vulnerability? And if so, why is integramod written like this? Someone in the hacker fix thread also noticed the same thing.

Can't we protect these directories with an .htaccess file which will allow the script to write to these folders but prevent hackers remote access? And if not, can't we edit the code such that "world" doen't have to have write access to these folders?

I tried to do something like this

<LimitException>
Order Allow,Deny
deny from all
</LimitException>

and I've also tried

<Directory>
Order Allow,Deny
deny from all
allow from mysite.com
</Directory>

And stuck this .htaccess in the respective folders

But not really certain if this is correct.

Any input would be appreciated. Thanks.

[Unregistered]

hmmm... more things to work on i guess ..

[Michaelo]

Upload directories need to be accessed by all this is the same for every bulletin board ever written...

Update you files with the security fixes to stop the script hack. In you case the style change hack and several others have been plugged.

Please read all Global Announcement and check the Security Forum for updates.
Mike