Did you make sure the file is not larger than the maximum size allowed? I believe the default is 96KB.

no, its only 50kb.
btw. can i change the max. file size?

You can change it in conf/_admin.php:

$fileupload_maxk = '96'; // in kilo bytes

ok, thanks - but theres still be big problem left :)

Did you make sure the non-admin user is set to the appropriate level? When a user is created, they start at level 0, but you have to be set to at least level 1 to upload images.

This question is sort of related to the original post... The "media" folder has to be CHMOD 777. Doesn't this create a potential security problem, since the directory is world writeable/executable?

jj.

jibberjab wrote:

This question is sort of related to the original post... The "media" folder has to be CHMOD 777. Doesn't this create a potential security problem, since the directory is world writeable/executable?

jj.

Apparantly it does.

An Iranian hacker deleted my friend's /media directory and left this message:
http://markmaynard.com/media/hack.html

I've got him running around trying to reconstruct his media directory.

CHMOD 777 makes the folder world writable, but the hacker would need access/login to the server. You cannot delete folder contents through HTTP (browser).

Mr. Cherry, have you taken a look at your server logs to reconstruct how this happened? There might be a security hole with your(?) server.

Mr. Cherry,

there are _a lot_ of defacements for the same server IP..

http://www.zone-h.org/en/defacements/filter/filter_ip=67.19.127.66/

I'll also drop the webhosters a note.

So probably the defacer had an account on this server and attacked sites where folders where world-writable.

blueyed wrote:

CHMOD 777 makes the folder world writable, but the hacker would need access/login to the server. You cannot delete folder contents through HTTP (browser).

Mr. Cherry, have you taken a look at your server logs to reconstruct how this happened? There might be a security hole with your(?) server.

I'm still looking into this. I had a discussion with my server admin and he suggested it might be some software we're running on the site. I've kept up with the few security updates so I'm not convinced this happened through b2evo but it may have.

Unfortuantely I don't have access to the server logs.

I did look at other defacements by the same hacker and it looks like he's going through phpwebhosting accounts like crazy. This leads me to believe there's a security problem there.

I'm still trying to piece this together.

Without server logs this may be impossible / difficult to puzzle together on your side. I've dropped them a note, as said, and you should probably also try contacting them.

Ok I found that I missed the 8/31 security patch. The dates on the patched files is July 5th.

Jul  5 14:41 _functions_xmlrpc.php
Jul  5 14:41 _functions_xmlrpcs.php

:oops:

It's not said though that he broke into through this.. I don't know even what this xmlrpc security issues were really about.

blueyed's right, there's nothing showing that they got in through this xmlrpc hole.

i have add $fileupload_maxk = '2048'; in _admin.php

but the Maximum allowed file size is still 96 KB

im using b2evo v 1.6-Alpha

Phoenix does not care about this setting in /conf/ (apart from when upgrading). See Settings/Files in the backoffice instead.