Security hole found into Sximo
Hello, just wanna share you that bad info
i just found out that the core, has a bad security hole, all related to UPLOAD File
in fact Upload Avatar / File manager are not protected Module
people can upload php file and execute them without restriction.
I will check out for fix it or will disable it on my reloaded demo/git version
but you can avoid this (temp solution) by adding some line to your apache.conf configuration file (thanks to a friend who told me how to do it).
<Directory "/var/www/webs/web1/yourdomain/public/uploads"> <FilesMatch "(?i)\.(php|php3?|phtml)$"> Order Deny,Allow Deny from All </FilesMatch> </Directory>
reload/restart your apache it will be a temp solution for your script for now
hope it's help
Want to reply to this thread?Login with github.