Index: uploader.php
===================================================================
--- uploader.php	(revision 6549)
+++ uploader.php	(working copy)
@@ -16,7 +16,7 @@
   if(!file_exists($uploaddir)) 
   {
     echo "directory ".$uploaddir." doesn't exist, creating... "; 
-    if(mkdir($uploaddir)) { echo "directory created.<br> \n"; chmod($uploaddir,0777); }
+    if(mkdir($uploaddir)) { echo "directory created.<br> \n"; chmod($uploaddir,0755); }
     else { echo "error creating directory.<br \n"; }
   }
   else
@@ -25,12 +25,21 @@
   }
   $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
 
+$info = pathinfo($uploadfile);
+$ext = strtolower($info['extension']);
+
+	if (!in_array($ext, array('txt','all','jpeg','png','gif','wav','mp3','avi'))){
+		echo "Forbidden file format";
+		die();
+	}
+
+
   if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
       echo $uploadfile." is valid, and was successfully uploaded.<br>\n";
   } else {
       echo "Possible file upload attack on ".$uploadfile."<br>\n";
   }
-  chmod($uploadfile,0777);
+  chmod($uploadfile,0644);
   echo "uploaded file to ".$uploaddir."<br>\n";
   print "<pre>\n";
   print_r($_FILES);