forum.coppermine-gallery.net
Support => cpg1.4.x Support => Older/other versions => cpg1.4 permissions => Topic started by: keith10456 on March 19, 2006, 12:52:49 am
-
Someone uploaded a file titled "img.php.rar".
I'm not exactly what they were trying to accomplish by doing this but I would like to prevent files of this type from being uploaded. Kindly let me know how to prevent this.
-
http://forum.coppermine-gallery.net/index.php?topic=28079
-
Thanks!
-
I noticed in the latest version of the Gallery that there is a titled "no ftp in this directory" or something of that nature, should I place a copy of this file in all of my gallery directories?
-
No, it's just there to remind you.
-
I don't know how but my gallery keeps getting hacked. Apparently someone is able to upload an ".userpics" folder into the gallery's directory. They then used it to send spam e-mails via the gallery.
Any ideas on how to prevent this? I suspect it had something to do with the rar file.
from /home/sitename/public_html/website/coppermine_dir/albums/userpics/.userpics 1141581PLNT
-
disable the upload of rar files in coppermine, scan your webspace for leftover backdoors the attacker might have left there. To accomplish this, download all files from your webspace to your client and look for files that aren't meant to be there. Ask your webhost to fix the Apache vulnerability asap.
-
How do I prevent them from creating a "folder" in the directory - maybe it was uploaded (not sure)?
-
huh?
-
Attached is zip of the directory that the person either uploaded to my directory or created with the .rar file. Hopefully you can use it this to prevent things of this nature from happening again (a security patch).
-
This zip file contains the rar file and a ".index.php" file that I found they added.
-
delete all of those files and change all your passwords.
-
Thanks for getting back to me... Big problem though.
In the "Files and thumbnails advanced settings", I the following settings:
Allowed image types: jpg/bmp/tif/png/gif/jpeg
Allowed movie types: wmv/avi/mov
However, as a test, I created a text file with the file name "img.php.rar" - which is the same name of the file the hacker used - and was able to upload the file to the gallery (I wasn't logged-in as an admin).
On another note, once you have a copy of the attachments I added to my previous posts, please delete them. We don't want the wrong people to get their hands on it.
-
Have you changed your allowed document types?
-
Yes... In my previous post (before this one) I listed what my settings are.
-
Yes... In my previous post (before this one) I listed what my settings are.
No, you changed the allowed image and movie types. You did not change the allowed document or audio types.
-
You're right!
What do I put to set it so no document types can be added?
-
Remove "ALL".
-
I got it... Leave it blank! I tested it and it blocked the file.
Thanks!
-
Any word on those files the hacker used (what files were doing, how to block them form executing, etc.)?
-
Read the link I gave you earlier. That contains code to stop .rar files being treated as php scripts by apache.
-
Got... Sent it to my host.
Many thanks!
-
ask your webhost to fix his server - the attacker used a vulnerability that exists on Apache webserver setups that aren't hardened against such attacks. Regular servers aren't meant to parse files with the extension ".rar" with the PHP processor. Your server is configured improperly - it doesn't treat ".rar" files and document files, but parses PHP included in it. By not allowing the upload of .rar files using coppermine, you just keep future attackers from exploting the server setup glitch. However, you haven't cured the webserver itself. The attacker might have used the security flaw to create backdoors on your server that allows him to enter later (even after having fixed everything), so it's mandatory to scan the server for those backdoors as suggested. It's mandatory as well that your webhost fixes the server setup vulnerability. Contact them asap, asking them to do as advised here. You're welcome to make your webhost visit this thread and the other one Nibbler refered to - they should know what to do then. I'm convinced they will, as the said vulnerability will not only have an impact on your domain, but on the accounts of other website owners who are hosted on the same server.