forum.coppermine-gallery.net

Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: xerofun on March 30, 2007, 09:31:01 pm

Title: [bug] File Inclusion and Command Execution (SA24019)
Post by: xerofun on March 30, 2007, 09:31:01 pm

Didn't find this one in the bugs board and by searching throught the board. So if there's already a solution posted, sorry for the double post.

Checkout:
http://secunia.com/advisories/24019/

1) I fixed this by commenting out the "include($path)" in function cpg_get_custom_include in include/functions.inc.php because I'm sure I will never make use of this function. Definit solution might be to only allow to include files within the cpg installation directory or maybe even only within the themes directory? This concludes that the permissions of the cpg installation directory needs to be set correctly, so that no local user can put any files into any of the directories.

2) Fixed this by replacing every ; with \; in $CONFIG['im_options'] everytime it is used in include/imageObjectIM.class.php and
include/picmgmt.inc.php (see attached patch).

Hope this helps.

In case there's already a fix, sorry. Just remove the posting. ;)

Title: Re: [bug] File Inclusion and Command Execution (SA24019)
Post by: Nibbler on March 30, 2007, 09:48:16 pm

This has already been discussed. It's a non-issue. Only give admin rights to people you trust.