Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Important security issue 1.4.4  (Read 6307 times)

0 Members and 1 Guest are viewing this topic.

thejake420

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 79
  • Jakes Jokes - the largest joke site on the web
    • Jakes Jokes
Important security issue 1.4.4
« on: March 27, 2006, 10:43:38 am »

Couldn't post to the appropriate forum, and couldn't find the tracker...?

I'm updated to 1.4.4 (actually 1.4.3, with the manual edits as instructed since I wanted to patch the issue before the 1.4.4 version was released.)

I don't want to post the contents of the "bad" file for obvious reasons, but a user was able to upload a file that granted them access to my server. I fixed the issue manually, but it's a potentially nasty one that appears to be able to give the user direct and basically unrestricted access to my server.

Uploaded file: image.php.rar (which I obviously deleted)

Checked my server just in case, and it's a good thing because I found .index.php in the userpics (note the dot before the filename).

Admin - Please contact me directly for a copy of the offending PHP file so that you can decide how best to deal with this.


My email is: thejake420
-------------------------------------
at the domain: dvdhelp.us


Jake

Nibbler

  • Guest
Re: Important security issue 1.4.4
« Reply #1 on: March 27, 2006, 01:45:06 pm »

Please search the board for previous discussions on this issue.
Logged

thejake420

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 79
  • Jakes Jokes - the largest joke site on the web
    • Jakes Jokes
Re: Important security issue 1.4.4
« Reply #2 on: March 28, 2006, 12:56:53 am »

Please search the board for previous discussions on this issue.
I did, and received 0 results for .index.php or image.php.rar (the offending files), keywords which I would imagine would be included in a discussion of an issue relating to these files. Do you have a link please?

I had already applied the hotfix, but was obviously still NOT safe from the vulnerability, hence the reason I saw fit to report it here, as there is clearly another way for this vulnerability to be exploited.


Jake

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Logged

thejake420

  • Contributor
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 79
  • Jakes Jokes - the largest joke site on the web
    • Jakes Jokes
Re: Important security issue 1.4.4
« Reply #4 on: March 28, 2006, 08:46:00 am »

Thank you. That was extremely helpful. (I did try searching... a lot. I just didn't find the threads above.)

Be aware that the hotfix did not completely dodge the vulnerability. (I have, of course, updated to 1.4.4 and added the appropriate .htaccess file, as well as sent a message explaining this server vulnerability to my host.)


Jake

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Important security issue 1.4.4
« Reply #5 on: March 28, 2006, 09:47:02 am »

updating to cpg1.4.4 doesn't fix this issue, nor does putting a .htaccess file. To fix this, do as suggested on the threads I refered to and disallow the upload of .rar files in coppermine's config.
As suggested, this is not a coppermine issue, but a webserver vulnerability - fiddling with coppermine only cures the symptoms, but not the cause.
Logged
Pages: [1]   Go Up
 

Page created in 0.011 seconds with 20 queries.