In the past few weeks, there have been a lot of users complaining that their coppermine-driven gallery has been hacked by the "rar exploit". Although this issue is not related to Coppermine, but to a webserver vulnerability, there are methods to circumvent the vulnerability. We decided to post this as reference for users who have fallen victim to the exploit and for those who are afraid of the hack:
What the hack/exploit does:The attacker uses the upload mechanisms of Coppermine (or any other web app that allows uploads) to upload a file named "somename.php.rar" to your webspace. The file is a plain-text file that contains PHP code that usually does malicious things (attack patterns vary from sending spam emails, defacing the site, creating additional backdoors etc., depending on the PHP code). After the upload, the file resides somewhere on your webserver and can be accessed by URI (something like
http://yourdomain.tld/your_coppermine_folder/albums/userpics/10XXX/somename.php.rar). Usually, a file with the extension ".rar" is not suppossed to be parsed by the PHP interpreter on your webserver - it should just be a file that webserver returns for download when accessed. Webservers that are not patched properly ignore that actual extension ".rar" and treat the file as if the name only were "somename.php". Subsequently, they parse the file with the PHP interpreter and execute the (malicious) code contained in it.
Why the exploit is not a Coppermine issue:Developers have to rely on certain parameters, one of them being that files with certain extensions get treated by the webserver in a certain way. Files with the extension ".rar" must not be parsed by PHP. Webserver that fail to do so are not set up properly - period.
How can I find out if my webserver is vulnerable?Create a plain-text file with this content:
<?php print 'Oops, my webserver is vulnerable'; ?>
, name it test.php.rar, upload it to your webserver (by Coppermine methods or by FTP) and run it in your browser by entering the URL of the file you uploaded into the browser's address bar. If the susequent page shows the message
Oops, my webserver is vulnerable
, then you really should be alarmed. If it returns garbled text, the PHP source code or just asks you to download the file, then your webserver probably is configured OK and you're not vulnerable.
What can I do to prevent the exploit from being run on my server?Go to your Coppermine gallery, log in as admin, go to coppermine's config. The field "Allowed document types" is the place you're suppossed to edit (as suggested in the
docs): empty the field, or explicitely specify the extensions that are allowed (e.g. "doc"). There mustn't be "ALL" in the field, as this includes the extension "rar". Please understand that this is a workaround we have come up with to help users close a security hole that exists on their server (I repeat: not in Coppermine).
If your webserver is vulnerable, contact your webhost immediately and demand that they fix the vulnerability. Don't accept answers that claim Coppermine was to blame - it isn't, but your webserver is!
My webserver is affected and there appears to be a suspicious/malicious file, what should I do now?1) Make a backup of all your files on the webserver and your database for forensic reasons
2) Delete the malicious file from the webserver
3) Scan your webserver for other suspicious files and possible subsequent backdoors and delete them
4) Go to coppermine's config and apply the suggested changes as suggested above as a method to stop further hacks
5) Contact your webhost, tell them what happened and demand that they fix their webserver. If they refuse or blame Coppermine to be the culprit, you're welcome to refer to this thread. Ask them for help to scan your webserver for malicious files. Ask them to review the server logs
I repeat: this is NOT a Coppermine vulnerability, but a webserver issue! Please don't clutter this thread with individual support requests, asking for help on cleaning your webserver if it has been hacked. You're allowed to discuss the vulnerability itself on this thread and the impact on Coppermine only. Invalid replies to this thread will be removed without further notice.
Related threads:Possibly related hacks:There might be similar issues on your webserver that allows not only ".rar" files to be parsed as PHP, but other file types as well (e.g. ".gz"). To be safe, only allow uploads of files that you're definitely sure to be handled correctly by your webserver.