Print

[bean]

Hi
Just installed Coppermine and just 2 days after someone mailed me my username and password for the admin login !?!?!?!
Is there a security risk in the script or do I have set something wrong? I need to find the security hole or I have to find another gallery.
Can somebody help ?
http://www.butts.dk/forum/files/thumbs/gallery/index.php

[Tarique Sani]

1) Who was it - someone who knows you?
2) What other PHP programs are you running on your server - is anyone of them vulnerable
3) Yes Coppermine stores username and passwords in MySQL DB but we are not currently aware of any Coppermine exploits which will reveal username password

[Joachim Müller]

There's no exploit for coppermine standalone as far as I know, but the hack could have come from other places as well: if an intruder manages to gain access to your database (e.g. if you have installed phpMyAdmin or similar and not password protected the whole phpMaAdmin folder), your website is broken, and all passwords are available for him. Another attack variant that is possible is the classic "man in the middle" or some trojan on your pc (keybaord-logging). If your account data are trivial, as brute force attack might be plausible as well. Consult your webserver logs on this issue.
Since there are various places where the attacker might have succeeded breaking into your webserver without coppermine core code being the culprit necessarily, it's hard to advise anything. Please provide more details on the email you received that contained your login data.

The reason that there are no known security holes in coppermine standalone doesn't mean that there actually are none, but it's very likely that other methods were used. I'm not trying to block your question by saying "that's impossible" - there could always be some hidden security flaw. Please post additional information.

GauGau

[bean]

LOL - my mistake !I think. I got the mail in german, so i didn't quite understand it. But it seems some had try to get the password by using the "Forgot you password" script and type my admin name in the box. Then I got this mail about my password and I freaked out :-) I hope that was the case here.

[Tarique Sani]

Most likely you are not using version 1.3.1 - that mail is supposed to be in the primary language of the site....

[bean]

Yep, I just tried to use the german language and use the "I forgot my password" script. I got the same mail as before from the gallery telling me my username and password. Phew, you have no idea how much that freaked me out - LOL 

[bean]

No, Im using version 1.3 since it says it's the stable one. Is 1.31 just as stable ?

[Tarique Sani]

Version 1.3.1 is supposed to be the latest stable release

@Moorey / Gaugau - we really need to update the website

[bean]

Ok thanks. Installed 1.31 now but I still get other language in my mail when people are using another language. The board is set to english.
But not a big problem since I now know what to expect.

[Joachim Müller]

moorey doesn't react to my mailings - I filed a support request at sf.net, asking them to transfer ownership of the whole page to me. I will update is as soon as they react.

GauGau

[omniscientdeveloper]

This was a problem with ecards too, I think. I solved it by using the cpg_get_default_lang_var() function. This will return the language set in config, unless it's overided like in the fallback file.


-omni