> Could someone from sourceforge.net comment? What else is compromised on > the server? > > Can just anyone post anything to any directory or are there specific > directories that can be hacked? > > Is it just yapig.sourceforge.net? If you look here: http://yapig.sourceforge.net/ You'll see the following list of vulns recently fixed in this image gallery project: ... * Vulnerability: Cross site scripting on add comment form (#1230491) * Vulnerability: Save plain text login information in cookies (#1230491) * Vulnerability: Arbitrary directory removal on upload.php (#1230491) * Vulnerability: Extension checks on upload.php (#1230491) * Vulnerability: Arbitrary file Inclusion global.php and last_gallery.php (#1230491) * Vulnerability: Cross-site Scripting (#1230491) * Vulnerability: Information disclosure in phid argument of view.php and slideshow.php (#1230491) ... Yeah, so their demo site is compromised through one of these, or another yet to be published. Have you tried to let the project owner know? > Either case, I should suggest everyone be careful about what you > download from sourceforge till they do a full code audit and post the > results here. I would hope that sourceforge has decent cross-project segmentation by now... tim PS- next time you start a new thread on lists, could you avoid responding to messages on completely different threads? I realize that some mail clients still don't support the interpretation of threading headers, but many of ours do.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.