It was only three weeks ago that I made the previous release of the PHP edition of mega upload, It had to be followed up by another release today because 1.44 is not as secure as it should be.

As a downloader named Dimitry pointed out, the 1.4x branch passes the list of file names as part of the querystring. It does not make use of the internal post as the 1.3x branch does. This unfortunately leads to the possibility of a malicious user passing in bogus pathnames that could result in files been overwritten. Or would allow the user making a copy of important files on the server.

It should also be noted that the 1.4x branch readme file clearly states: MEGA UPLOAD 1.4x IS EXPERIMENTAL PLEASE DON'T USE IT ON PRODUCTION SITES USE 1.35 INSTEAD. 1.35 IS STABLE.

Well the issue has been addressed and in doing so another improvement has been made which makes it possible to handle a larger collection of files than the previous version. Here the reference is not to the file sizes but the number of files handled at a single upload.

Finally always remember that megaupload is just a progress bar for file uploads nothing else. You need to treat files uploaded with megaupload with the same level of distrust that you would with ordinary file uploads.

comments powered by Disqus