why it is a serious problem to upload members avatars??? and where they upload it?

Because someone discovered a security flaw, and if you don't fix it, you'll got hacked. It's your choice.

and when are you going to fix it ???? when we can upload avatars again /??

lol and how about me I'm using Paulo's MOD for USER PAGE ??

star1, that's the same.

I'm not responsible for mods, ask the author or uninstall the mod. When you'll be able to upload avatars again? In the next release.

I know that isn't you responsablity , but plz can u edit it for me ! Clear The Code ( Delete the Avatar Uploading )
cuz im a noob in PHP plz plz !
Plz so much ! it's urgent !

This is the "LASTS MoD" there it's the file User Page !
http://www.2shared.com/file/4745454/7defe5fe/index.html

If you want to hold the upload funcion add following .htaccess file to the upload directorys:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>

Not everyone has the .htaccess support unfortunately, it's not an universal fix

@Star1

http://www.2shared.com/file/4745744/66b26ae6/index.html

Is this necessary for those who have the 4.0.0 ?.

Hello Mem !

Has this patch to do with "root kit" embended in .jpg like c99shell ? Two attempts via avatar since this morning on my site...

Pierre

@delmon
Updating to the last version is always necessary as first... second, yes, the bug affect several old versions

@PierreL
Yes

Thanks mem for your answer.

Only for my personal use (cause i know it's always better to apply last security pach...) : is it possible to only disable avatar and file upload to keep safe ?

Pierre

The only problems are avatars upload and (probably) gallery images submission.

Many thanks, mem !

That do the trick for me...

PierreL

New patch got error. pages/users/index.php
Line: 905 after member login. How can I solve this?
Thanks mem

Thank you mem i dont use the user syatem but any how thanks for help them who have and protecting there sites for them

mem a me da i seguenti errori:
[code]
Notice
Errno: 8
File: /home/hosting/d/damian/www/pages/users/index.php
Line: 905
Function: login
Note: Undefined variable: page
Notice
Errno: 8
File: /home/hosting/d/damian/www/pages/users/index.php
Line: 905
Function: login
Note: Undefined variable: page
[/code]
Non uso il mod rewrite (se si scrive così

Quella funzione non l'ho nemmeno toccata. Sei sicuro di avere MemHT 4.0.1 e non una versione precedente?

Amerilao, which error? "I don't like you"? "I'm too sexy"?
This error should appear if you have MemHT 4.0.0 and previous and not 4.0.1

mem...if i upload the fixed file i will lose all users profile??? this is so importan for me to know befora make the change!!! i have over 50 users with full completed profile... if i lost again profile i will die!!!

This new patch gives one error.
i have Memhtversion 4.0.1 installt

Notice
Errno: 8
File: ..../pages/users/index.php
Line: 905
Function: login
Note: Undefined variable: page
How can I solve this?
thanks mem

Find function login() { global... and add $page in the global variables

@doulis
Data is stored in the database, not in files

nou it works
thank you mem

Hi
My website was hacked yesterday.

My webhost suspend my account and ban me until I explain it is memHT issue not me phishing.

This really ****s but I am happy memHT has quickly offered FIX download.

my website go hacked the day you released the fix ^^...
very BAD!! He hacked my index.php file ^^ (not that bad)
The Worst part was that he sent 100'000 mails via my portal to I don't know where... now My server Ip is listed as Spam

But thx for the fix

freaky, the fix is there, if you don't install it i can't do anything

My site got hacked the 27.1.09 (night) and the fix came out the 28.1.09 ..
I always do Update most important thing do to..

mem ma in cosa consiste il problema di sicurezza? cioè, cosa potrebbero fare se uno non ha il fix?

Uppare i file che vogliono sul tuo ftp, per esempio

ok grazie mem

mem e possibile avere la pagina non fixxata così che posso mettermi un controllo sul tipo di file ma lasciando agli utenti la possibilità di caricare il proprio avatar, grazie
(se mi riesce il fix ti faccio avere la pagina fixxata da me)

Sono all'estero e non ho una copia del file non fixato mi dispiace

do i just upload the pages to the root?

Yes

where shd i put some different avatars so users wold be able to use those avatars???

images/avatar/

Turan : If you want to hold the upload funcion add following .htaccess file to the upload directorys:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>
..........
mem : Not everyone has the .htaccess support unfortunately, it's not an universal fix...
..........

Mem mostly i ask questions not only for my ownself but keeping the thing in mind that many ppl can think like that .. if someone has .htaccess support then old files i mean Memht 4.0.1 is useable without fix and with this above defined .htaccess file??? or still its necessary to use this fix .. see many ppl wants to use their own avatars thts why asking ..

The vulnerability exists on few PHP versions... so the script is "generally" safe. If you use the .htaccess fix, your site SHOULD be safe, but i cannot assure it because it depends of the server configuration.

Mem i used .htaccess of truan images uploaded to the uploaded folder but they dosent appear and when i delete the .htaccess it starts to appear in the user profile .. so can u modify it or do u have any other solution of it ??? plz ..

You have the fix, i'm not working on anything else, i'm not working at all on nothing now.

Yiiks ... what happened mate .. ??? seems angry .. is that so???? :-/ fix dosent allow users to choose their own avatar mem ... thz why saying so ..

I have no time to create an alternative script in this period.

PS: I'm not angry

mem alittle problem here with 4.0.1 version my user registration is unable to register user it says "Access Denied" "You do not have the authorization to access this page!" can you help me with this!thank you in advance

Set rank = guest in admin > system > addons > users

fixed...
a million thanks to you mem you're the men

how can a user upload an avatar to their account?

They can't for now

Thanks for all your support mem

Bueno, y al final este problema es importante o no?