No Support > Announcements
Coppermine-driven galleries hit by RAR exploit
Joachim Müller:
In the past few weeks, there have been a lot of users complaining that their coppermine-driven gallery has been hacked by the "rar exploit". Although this issue is not related to Coppermine, but to a webserver vulnerability, there are methods to circumvent the vulnerability. We decided to post this as reference for users who have fallen victim to the exploit and for those who are afraid of the hack:
What the hack/exploit does:
The attacker uses the upload mechanisms of Coppermine (or any other web app that allows uploads) to upload a file named "somename.php.rar" to your webspace. The file is a plain-text file that contains PHP code that usually does malicious things (attack patterns vary from sending spam emails, defacing the site, creating additional backdoors etc., depending on the PHP code). After the upload, the file resides somewhere on your webserver and can be accessed by URI (something like http://yourdomain.tld/your_coppermine_folder/albums/userpics/10XXX/somename.php.rar). Usually, a file with the extension ".rar" is not suppossed to be parsed by the PHP interpreter on your webserver - it should just be a file that webserver returns for download when accessed. Webservers that are not patched properly ignore that actual extension ".rar" and treat the file as if the name only were "somename.php". Subsequently, they parse the file with the PHP interpreter and execute the (malicious) code contained in it.
Why the exploit is not a Coppermine issue:
Developers have to rely on certain parameters, one of them being that files with certain extensions get treated by the webserver in a certain way. Files with the extension ".rar" must not be parsed by PHP. Webserver that fail to do so are not set up properly - period.
How can I find out if my webserver is vulnerable?
Create a plain-text file with this content:
--- Code: ---<?php print 'Oops, my webserver is vulnerable'; ?>
--- End code ---
, name it test.php.rar, upload it to your webserver (by Coppermine methods or by FTP) and run it in your browser by entering the URL of the file you uploaded into the browser's address bar. If the susequent page shows the message
--- Quote ---Oops, my webserver is vulnerable
--- End quote ---
, then you really should be alarmed. If it returns garbled text, the PHP source code or just asks you to download the file, then your webserver probably is configured OK and you're not vulnerable.
What can I do to prevent the exploit from being run on my server?
Go to your Coppermine gallery, log in as admin, go to coppermine's config. The field "Allowed document types" is the place you're suppossed to edit (as suggested in the docs): empty the field, or explicitely specify the extensions that are allowed (e.g. "doc"). There mustn't be "ALL" in the field, as this includes the extension "rar". Please understand that this is a workaround we have come up with to help users close a security hole that exists on their server (I repeat: not in Coppermine).
If your webserver is vulnerable, contact your webhost immediately and demand that they fix the vulnerability. Don't accept answers that claim Coppermine was to blame - it isn't, but your webserver is!
My webserver is affected and there appears to be a suspicious/malicious file, what should I do now?
1) Make a backup of all your files on the webserver and your database for forensic reasons
2) Delete the malicious file from the webserver
3) Scan your webserver for other suspicious files and possible subsequent backdoors and delete them
4) Go to coppermine's config and apply the suggested changes as suggested above as a method to stop further hacks
5) Contact your webhost, tell them what happened and demand that they fix their webserver. If they refuse or blame Coppermine to be the culprit, you're welcome to refer to this thread. Ask them for help to scan your webserver for malicious files. Ask them to review the server logs
I repeat: this is NOT a Coppermine vulnerability, but a webserver issue! Please don't clutter this thread with individual support requests, asking for help on cleaning your webserver if it has been hacked. You're allowed to discuss the vulnerability itself on this thread and the impact on Coppermine only. Invalid replies to this thread will be removed without further notice.
Related threads:
* 1.4.5, still hit by rar exploit
* hackers (?) creating ads
* My Coppermine Site Sent out Spamming Email. How?
* Important security issue 1.4.4
* Upload vulnerability through .rar extension for improper webserver setups
* upload.php exploit
* Prenting File Types
Possibly related hacks:
There might be similar issues on your webserver that allows not only ".rar" files to be parsed as PHP, but other file types as well (e.g. ".gz"). To be safe, only allow uploads of files that you're definitely sure to be handled correctly by your webserver.
solarian:
This is actually a "feature" of Apache, so that any file with ".php" somewhere in the filename will be interpreted by PHP, unless there is an earlier match to a different mime-type. Any unmapped mime-type will cause this problem, not just .rar files. If anyone knows a way to configure Apache differently, I'd like to know too. I understand there is a patch for one version of Apache if one uses AddHandler instead of AddType, but quite frankly there's no use blaming it on poor server configuration -- it's written into Apache.
You say "Developers have to rely on certain parameters, one of them being that files with certain extensions get treated by the webserver in a certain way." Well, you can rely on Apache interpreting the filename "xxx.php.yyyyy" as a PHP file, so whether you like it or not this is a Coppermine security hole -- i.e., if anyone uses Apache and Coppermine with standard installation defaults they will automatically be vulnerable. It is rather annoying to be told to "patch" Apache to get Coppermine to work safely when it would be quite simple to prevent this problem by writing a couple of lines into Coppermine to sanitize all but the final "." as an underscore. You can solve this problem. Please do so.
Joachim Müller:
The Apache feature you refer to is imo badly implemented - there's no way to turn this silly behaviour off, although many other things can be configured in apache. The issue is also misdocumented.
However, as people will of course blame Coppermine to be the culprit for anything that has been uploaded using Coppermine's upload mechanisms, we (the Coppermine dev team) decided fix the issue within the app by sanitizing the filename: we added a check to the function that does file renaming on upload to replace all dots in a filename (except the last one) with an underscore. We have packaged a maintenance release that includes some other minor fixes as well see details in the thread Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability (contains hotfix instructions as well).
solarian:
Yes, I agree that this is odd behaviour in Apache, and is apparently only really useful if serving documents in multiple languages. However, the practical applications of such a feature are, IMHO, probably close to nil, since that sort of thing can more easily be done in other ways. I understand IIS doesn't have the same twist.
Thanks for implementing a fix for this -- it just remains for all the programmers who've written upload utilities & who were unaware of this (which included myself) to check their own scripts. I have a feeling there are probably dozens of web-apps which are vulnerable to this Apache "feature".
I notice that this problem isn't even mentioned in the Apress Pro PHP Security 2005 book.
hds:
--- Quote from: GauGau on May 19, 2006, 09:39:47 pm ---The Apache feature you refer to is imo badly implemented - there's no way to turn this silly behaviour off, although many other things can be configured in apache.
--- End quote ---
well, it works as explained here:
http://forum.coppermine-gallery.net/index.php?PHPSESSID=7771f88e18e83ec1e3a7778f20877b0f&topic=22806.0
by Tarique Sani:
AddType application/rar .rar
however, i also added
AddType application/arj .arj
because this was not defined in my mime types either.
however, unfortunately any unknown filetype will work as well. for example a file called "test.php.lala" ;(
Navigation
[0] Message Index
[#] Next page
Go to full version