forum.coppermine-gallery.net

No Support => General discussion (no support!) => Topic started by: kapou on June 18, 2006, 12:42:02 pm

Title: Security hole
Post by: kapou on June 18, 2006, 12:42:02 pm

Hi. I think there is a big security hole in your software. I recieved a fake paypal e-mail linking to this url : http://www.numbernineteen.co.uk/Coppermine/sql/cgi-bin/update/paypalsignup/onlineid-sessionload/sessiondid=2335454893_Secured152388884&Update/index.htm (http://www.numbernineteen.co.uk/Coppermine/sql/cgi-bin/update/paypalsignup/onlineid-sessionload/sessiondid=2335454893_Secured152388884&Update/index.htm)
... This page is on the website of a coppermine user apparently and I don't think he is aware of what it is used for. If you can, you should try to inform him ! jon.

Title: Re: Security hole
Post by: Stramm on June 18, 2006, 12:55:09 pm

This user's using an old version of coppermine (1.3.2)
If he upgrades his server software with the same carefulness as he does upgrade the coppermine software I'm sure there are some options for hackers uploading phishing sites. To hide that page deep in the directory structure is normal practise.

I've no clue at all how to whois a co.uk domain. So if someone could find out that guys email addy and tell him about this phishing site (or his host) this'll be much appreciated.

Title: Re: Security hole
Post by: kapou on June 18, 2006, 12:58:47 pm

Quote from: Stramm on June 18, 2006, 12:55:09 pm

This user's using an old version of coppermine (1.3.2)
If he upgrades his server software with the same carefulness as he does upgrade the coppermine software I'm sure there are some options for hackers uploading phishing sites. To hide that page deep in the directory structure is normal practise.

I've no clue at all how to whois a co.uk domain. So if someone could find out that guys email addy and tell him about this phishing site (or his host) this'll be much appreciated.

the british whois is at http://www.nic.uk/ (http://www.nic.uk/) but I'm afraid it's not very helping, there is only the Registrant's agent name (http://www.123-reg.co.uk (http://www.123-reg.co.uk))

Title: Re: Security hole
Post by: Sami on June 18, 2006, 01:01:58 pm

he is using cpg 1.3.2 (an out of date version) and i think this is a dead gallery (not update since august 2005)
obviously they hacked it (the date of hack is 2006/06/07) and put cgi-bin there ...

Title: Re: Security hole
Post by: Vargha on June 18, 2006, 01:21:59 pm

i tried looking for his email adress whois lookin up but it does not show
how bout sending an email to his host service http://www.123-reg.co.uk/support/contact.pl and asking them to find his email, then you can send an email to his and tell him whats goin on

Title: Re: Security hole
Post by: Sami on June 18, 2006, 01:32:10 pm

123-reg.co.uk is domian registrar not hosting
here is some info about that site:
IP address:                     66.36.240.151
Reverse DNS:                    66-36-240-151.orbital.synhost.net.
Reverse DNS authenticity:       [Verified]
ASN:                            14361
ASN Name:                       HOPONE-DCA
IP range connectivity:          2
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               66.36.192.0 to 66.36.255.255
the site hosted on US
I keep searching to find his/her real hosting ;)

Title: Re: Security hole
Post by: Vargha on June 21, 2006, 04:52:49 pm

dont worry bout it bmossavari
his site has been suspended