Support => cpg1.4.x Support => Older/other versions => cpg1.4 upload => Topic started by: thejake420 on May 09, 2006, 06:51:31 am

Title: 1.4.5, still hit by rar exploit
Post by: thejake420 on May 09, 2006, 06:51:31 am
I am running 1.4.5, which supposedly patched the rar upload issue/exploit, but I've been hit with it. Again.

My host has long since known about the Apache access edit as per the earlier 1.4.4 threads, and I'm fairly certain they took care of it on their end. They issued mandatory upgrade emails to everyone, etc., so they obviously took it seriously...

I now have manual settings for allowed upload types (gif/jpg/jpeg), rather that ALL which obviously doesn't protect). Fortunately, I'm very hands on, so I caught it in under a day.

1. Why did this happen if 1.4.5 patched the issue?

2. How can I absolutely, positively prevent it from happening again? (Aside from obviously not allowing "any" uploads)

3. Dev/Mod - I have the script saved. I'll PM or email it upon request (It's a bit different from the other ones I've encountered... this time it's masquerading as a style sheet)

Title: Re: 1.4.5, still hit by rar exploit
Post by: Joachim Müller on May 09, 2006, 08:00:25 am
look: this is a webserver vulnerability issue that will affect all applications that have the capability to upload files to the server. It is not a coppermine issue, so there can't be a true fix in Coppermine's core code nor the config. Instead, the webserver needs fixing: your webhost is suppossed to set up your webserver in a way that doesn't allow PHP files to pose as rar files - files having the rar extension are not suppossed to be parsed by the PHP processor!
The form field "Allowed image types (" does not affect the capability of users to upload rar files, so there's little use in changing it from "ALL" to anything else. The field "Allowed document types (" is the place you're suppossed to edit (as suggested in the docs): clear the field, or explicitely specify the extensions that are allowed (e.g. "doc"). Please understand that this is a workaround we have come up with to help users close a security hole that exists on their server (I repeat: not in Coppermine).
Imo your webhost is not very concerned about security issues if they send an email around that tells users to patch their apps against a vulnerability that shouldn't exist in the first place and that they have the duty to fix.
The reason for the release of cpg1.4.5 as a maintenance release that patches security issues is not the rar vulnerability, but the imei bug that allows a directory traversal attack.
Suggested solution: make sure that you have "Allowed document types" configured properly in Coppermine's config as a "first aid" measure. Then contact your webhost and demand that they patch their webserver properly.

Title: Re: 1.4.5, still hit by rar exploit
Post by: thejake420 on May 09, 2006, 10:59:01 pm
Thank you for the clarification. Host has had the issue re-explained more, um... loudly... this time, and it is being fixed.