Print

[Theli]

Hi just checked the visitor log on my website and the login page of my gallery was accessed 17462 times during one hour (compared to the normal 150). Wich has led me to believe that someone is using a program like Accessdiver to find the login and password. And this is not the first time it's happened.

The question is, is there a threat to the security of my site?
Has this happened to anyone else here?

[Joachim Müller]

I don't know of any special vulnerability of coppermine related to logins (although it'd be a nice feature for a future version of coppermine to allow only X failed logins within Y seconds). You should check that you have a strong password (8 characters, letters and numbers, some capitalized, no dictionary word, no names, no keyboard pattern). A good idea to come up with a strong password that's easy to remember, but hard to break is memorizing a sentence that makes sense for you and use the first letters of each word.

Example: the sentence

I absolutely love Mashed Potatoes with 3 Beers

would result in the password

IalMPw3B

GauGau

[Theli]

I don't think my login/password is that obscure, it includes a spinoff of my name and the password is a dictionaryword (uncommon, but still).

Can I change the password without re-installing the entire gallery?

[Casper]

You can change your coppermine password.  there are a couple of ways to do it.  As you cannot edit your own details in the usermgr, I find the easiest way is to create a new admin user for yourself, log on as that user, then edit your original user details.

Or you could do it using your database tool.

You can edit your database password using your db tool, but you then have to edit your include/config.inc.php on the server, to your new password.

[Theli]

Ok, I've created a new user in the Administrator group with a more cryptic username and password (no actual words).
Can I delete the original administrator (being logged in as the new) without causing problems?

[Theli]

A few smaller attempts has been made to hack into my gallery with a total of 30000 visits. I've changed the login (made it longer and less comprehensible) aswell as the password (alot longer).

Have you heard on anyone successfully managed to get the password to a coppermine gallery through this kind of hacking?

[Theli]

It swallowed alot of bandwith, so I deleted "login.php". I'm always logged in anyway...

[Casper]

So how are your members going to log i?  :?

[Theli]

I have no members...  :wink:

Here's my gallery, BTW.
http://gallery.theli.net
I've been using the coppermine gallery for a few months now, and it beats the hell out of uploading over FTP and setting up HTML based galleries.

[LiX]

This could also be an attempt to eat your bandwidth...

[DJMaze]

I made some code to use in PHP-Nuke to get around this problem.
If someone has time he could modify it to use in the standalone Coppermine, and place in the end of the init.inc file.

If i have the time i can do, but that could take about 4 weeks.

Code: [Select]

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (!ereg("(http://$_SERVER[HTTP_HOST])", $_SERVER["HTTP_REFERER"])) {
        $errorpage = '<html><body><center><h1>ERROR</h1>';
        $the_error = "Someone with IP $_SERVER[REMOTE_ADDR]<br>"
                    ."tried to send information thru a POST from the following url: $_SERVER[HTTP_REFERER]<br>"
                    ."to the following page of yours: $_SERVER[REQUEST_URI]<br>";
        $the_error = $errorpage . "<form><textarea rows=\"8\" cols=\"60\">" . htmlspecialchars($the_error) . "</textarea></form></body></html>";
        if (is_admin($admin)) {
            die($the_error);
        } else if ($adminmail && $adminmail != '') {
            $subject = "POST Error on $sitename";
            $xheaders = "From: $sitename <" . $adminmail . ">\n";
            $xheaders .= "X-Sender: <" . $adminmail . ">\n";
            $xheaders .= "X-Mailer: Mozilla\n"; // mailer
            $xheaders .= "X-Priority: 1\n"; // Urgent message!
            $xheaders .= "Content-Type: text/html; charset=iso-8859-1\n"; // Mime type
            mail($adminmail, $subject, $the_error, $xheaders);
        }
        die('Posting from other server not allowed!');
    }
}

It would be even better to create a IP blocker sql table, and then compare the "user" IP to the SQL table if a compare is made the "user" will be blocked.