Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Coppermine 1.4.20 Exploit  (Read 5167 times)

0 Members and 1 Guest are viewing this topic.

Crazymodder

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 117
Coppermine 1.4.20 Exploit
« on: February 28, 2009, 12:24:38 am »

I have found a new Exploit for Coppermine 1.4.20. If some of the Developer would take a look
http://milw0rm.com/exploits/8114

Best Regards
Crazymodder
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: Coppermine 1.4.20 Exploit
« Reply #1 on: February 28, 2009, 02:19:57 am »

The exploit is real. I just confirmed in CPG 1.4.20


@Crazymodder: Thanks for let us know, the CPG Dev Team is going to take care of this as soon as they read this post.
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Coppermine 1.4.20 Exploit
« Reply #2 on: March 01, 2009, 08:47:41 pm »

The dev team is aware of milw0rm exploits #8114 & #8115. We're discussing a fix. If you want to close the potential whole right now, disallow visitors to use bbcode, i.e. disallow them to upload and comment.
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: Coppermine 1.4.20 Exploit
« Reply #3 on: March 04, 2009, 01:34:08 pm »

Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: Coppermine 1.4.20 Exploit
« Reply #4 on: March 06, 2009, 01:29:46 am »

Waiting for a better fix from the Dev Team, may I be safe from this exploit by just disabling comment and upload feature for guests and registered users? I have only one registered user (a member of this community :) ), applied captcha mod to registration page and request admin approval for new members
I used to apply every upgrade ASAP, but in my gallery I make large use of url bbcode tag in album descriptions and image captions: I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?
« Last Edit: March 06, 2009, 01:36:25 am by Ludo »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Coppermine 1.4.20 Exploit
« Reply #5 on: March 06, 2009, 08:30:03 am »

if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]
Locking thread to stop double discussion. As suggested in the announcement for cpg1.4.21, discussion should be lead on the upgrade sub-board.
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.