Upload.php ....
 

"..image uploads and potentially opens a cross-site-scripting exploit. It has affected many web-based applications that allow image uploads..."

this is the description on Vbulletin.con at this thread:

http://www.vbulletin.com/forum/showthread.php?t=161721

on november, 2

My VBGallery is the last version... and BEFORE of this data....
Today I've found these files :

commands.php
common.php
system.php
time.php
.htaccess

al the files are created at the same time.... at 09.55am
the contents... NO COMMENT.

is it possible that this "malaware" are ulpoaded on my site via upload.php ?
( they are present only in the subdir of gallery... images users etc.. )

thanks in advance.

There are not standard gallery files included with the install package.

Take a look @ FTP access logs on the webserver to see if those might of been files uploaded in the wrong folder durring a hack install. (draged and dropped in the wrong folder)

Your saying the the files content was "blank" or just had the text "NO COMMENT" ?

I know....

No comment was for the content....for example... this is command.php
if you wonna I post all the contents of the othe files.....
but as you can read is not good... :|

Bump...

Gnubittol, what exactly is the question? And have you deleted those files yet?

These files were "uploaded" in my web space Only in the folders with "777" chmod , and in the "Files" folder of vbgallery, of course, were presents.

the question is:
Is a bug of PHP or a bug of VBGallery?

These files was REMOVED immediatly from the server and I changed the permissions on all "777" folders NOW vbGalery is READ ONLY ( no upload is available) .....

And this is still a problem, got exactly the same issue this evening.

Part of the installation manual says;

Now create a directory on your web server for PhotoPost. The directory needs to be accessible via the web. FTP PhotoPost's directories and files from your local machine to your server. The directory structure on your server should be as follows:

photopost
images (chmod 755)
uploads (chmod 777)
help (chmod 755)
data (chmod 777)
1 (chmod 777 - including subdirectories)
2 (chmod 777 - including subdirectories)
500 (chmod 777 - including subdirectories)
languages (chmod 755) (a
stylesheets (chmod 777)
templates (chmod 777)
forums (chmod 755)


So my questions now is, if i set data and uploads to 755 will i then not be able to upload anything in the photo gallery?

What can i do to prevent the photo gallery from being hacked?

I use PhotoPost 562

No answer from any support people or developers here?

Can PhotoPost work if the data, uploads, templates are not set to 777? I would like to have an answer, thanks.

Maybe no response because you're in the wrong forum category, this is for vbgallery.