I've just used WinMerge to compare the cpg database backup I made on Saturday (pre-wipe & fresh install with a new DB etc.) to the one I made in October.
There were a few minor differences, which to my untrained eye did not look important, however I did notice this at line 381 of the newer DB:
INSERT INTO `cpg1411_plugins` (`plugin_id`, `name`, `path`, `priority`) VALUES (1,'Sumple Plugin','/../../../../../../../../../../../../../home/<my webspace username>/public_html/<my cpg installation>/albums/userpics',0);
... which I recognise from my "Mystery php file".
So, although I know nothing about php or sql, it does look like this php file did access cpg's mysql database and inserted a reference to a "Sumple Plugin" apparently located within /albums/userpics.
Pity I wiped the lot when I did & didn't have a deeper look around first - would very much have liked to see just what this "plugin" was, if the file was actually there.
As I have never actually had plugins enabled on my cpg installation, would this "Sumple Plugin" have been able to do anything?
I suppose with malicious DB access plugins could actually have been enabled without me knowing though - how could I check that from my DB backup?
Also, just *how* would this breach have occurred in the first place?
Via the exploit in 1.4.19 which 1.4.20 patched?
Via permissions?
I did have /include, /albums, /albums/userpics and /albums/edit all set to 777, along with my own album folders within /albums - as that's what the documentation says, plus cpg actually refuses to install at all if they have their permissions set to anything other than 777.
However, on looking elsewhere since this happened, it sounds like having any folders set to 777 is actually a rather bad thing to have???!!!
When I reinstalled from fresh last night, I decided to have them set to 777 only temporarily:
- Once the installation was finished, I changed /include back to 755, as I don't see why any write permissions would still be needed once the config.inc.php file has been created.
- Once the installation was finished, I changed /albums/edit and /albums/userpics back to 755, as I have no users other than myself, and I only upload via FTP.
- Once I had used the cpg web admin interface to batch add my uploaded photos to Albums, I changed all my own album folders within /albums back to 755, as surely write permissions are no longer needed once the thumbnails & intermediate pictures have been created.