Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Announcement]: Security vulnerabilities for CPGNUKE discovered  (Read 74084 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

Various security vulnerabilities have been discovered in the coppermine port for postNuke/phpNuke (aka "cpgnuke" or "cpg for cms").
These vulnerabilities use other nuke exploits to gain access to admin rights and can then be used to compromise the attacked web server. They only affect Coppermine for phpNuke/postNuke! Users of the standalone versions (and/or standalone bridged with bbs) are not affected.
Users of the affected versions should go to http://www.nukephotogallery.com/modules.php?name=Forums and look for fixes there - they'll be posted as soon as they're available.

GauGau
« Last Edit: April 14, 2006, 10:24:58 am by GauGau »
Logged

sammyd28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #1 on: May 01, 2004, 05:45:33 pm »

What is the easiest way to tell which version you have?
Logged

Casper

  • VIP
  • Coppermine addict
  • ***
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 5231
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #2 on: May 01, 2004, 05:49:18 pm »

In config, it is at the top of the page.

If you are not running a cms, you should be running a standalone version.
Logged
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #3 on: May 01, 2004, 05:51:33 pm »

well, if you're using phpNuke or postNuke, you should know that you're using it, as you will have had to set up nuke before setting up coppermine. If you have never heard about "nuke" stuff, you're using the standalone version. When visiting coppermine config, you should see which version number you are using, but since the vulnerabilities only apply to nuke versions, your standalone version number doesn't matter.

GauGau
Logged

sammyd28

  • Coppermine newbie
  • Offline Offline
  • Posts: 7
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #4 on: May 02, 2004, 07:28:12 am »

So then: Coppermine Photo Gallery 1.2.1 is the standalone version and I should just relax, right?
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #5 on: May 02, 2004, 09:27:54 am »

Right, CPG standalone(non CMS version) users can relax on this one...

CPG for CMS / Nuke users take a look here http://cpgnuke.com/index.php?name=Forums&file=viewtopic&t=341
Logged
SANIsoft PHP applications for E Biz

gtroll

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 618
    • CPG-Nuke
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #6 on: May 03, 2004, 11:31:23 pm »

Coppermine Photo Gallery 1.2.1 could be coppermine for CMS but you would probably know if it was a nuke install- check and see if you have a file called mainfile.php in your home directory if so it's nuke

charlottezweb

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
    • Charlottezweb.com
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #7 on: June 04, 2004, 03:51:13 am »

I apologize if this has been answered elsewhere, but I'm assuming this has nothing to do with a coppermine/YaBBSE integration?  If not, is there a known issue with that?  I've apparently had a weird issue tonight.

(i'll search the boards now, that might be smarter)  :)

Regards,
Jason
Logged

hyperion

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 1317
  • - retired -
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #8 on: June 04, 2004, 04:18:41 am »

No, this does not have anything to do with YABBSE.
« Last Edit: June 04, 2004, 04:27:03 am by hyperion »
Logged
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(http://www.mozilla.org/products/firefox/buttons/getfirefox_small.png)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #9 on: June 04, 2004, 07:51:03 am »

...although there have been security issues with YaBB SE in the past - you're strongly recommended to apply all security fixes provided for YaBB SE and upgrade to the latest stable version of it (1.5.5), or even upgrade to smf.

GauGau
Logged

charlottezweb

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
    • Charlottezweb.com
Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
« Reply #10 on: June 04, 2004, 02:42:24 pm »

...although there have been security issues with YaBB SE in the past - you're strongly recommended to apply all security fixes provided for YaBB SE and upgrade to the latest stable version of it (1.5.5), or even upgrade to smf.

GauGau

Oh, I know.  I've been installing it for years, but I don't think the problem was with YSE.  The site was on the latest 1.5.5 patch but it had an old version of a coppermine integration mod that was apparently compromised last night and I see that it's not even supported anymore on your forums.  So it looks like my SMF migration schedule for that particular site has been moved forward by a hell of a lot :)  I'm gonna try the latest coppermine integration that Jack (and yourself I'm assuming) ported tomorrow and hopefully save my gallery and all of its posts.

Thanks for your help,
Jason
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 20 queries.