The risk is real, my own server was compromised yesterday. http://news.softpedia.com/news/Unpatched-OpenX-Vulnerability-Exploited-to-Compromise-Multiple-Ad-Servers-156402.shtml
I am in the process of creating an updated port, should file a pr soon, but it should be marked as forbidden until then. On Thu, 2010-09-16 at 19:19 +0400, Ruslan Mahmatkhanov wrote: > 16.09.2010 17:59, Dan Langille пишет: > > > > On Thu, September 16, 2010 1:09 am, Ruslan Mahmatkhanov wrote: > >> 16.09.2010 05:45, Dan Langille пишет: > >>> This came in last night: http://blog.openx.org/09/security-update/ > >>> > >>> Port needs to be upgraded to 2.8.8 and a vuln entry created.... Sorry, > >>> bags not me. > >>> > >> > >> Until update is not come up, user can apply this workaround: > >> > >> echo "RemoveType .php"> www/images/.htaccess > > > > Do you have a reference for this fix? A URL we can refer people to? > > Not really, but i read there (originally in Russian): > > http://translate.google.com/translate?js=n&prev=_t&hl=ru&ie=UTF-8&layout=2&eotf=0&sl=ru&tl=en&u=http%3A%2F%2Fwww.opennet.ru%2Fopennews%2Fart.shtml%3Fnum%3D27971 > > that vulnerable plugin allows to attacker upload php-file into images > dir and that disabling handling php in that directory via RemoveHandler > or RemoveType successfully closes the bug. > _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"