forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Joachim Müller on May 01, 2004, 05:06:51 pm

Title: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: Joachim Müller on May 01, 2004, 05:06:51 pm
Various security vulnerabilities have been discovered in the coppermine port for postNuke/phpNuke (aka "cpgnuke" or "cpg for cms").
These vulnerabilities use other nuke exploits to gain access to admin rights and can then be used to compromise the attacked web server. They only affect Coppermine for phpNuke/postNuke! Users of the standalone versions (and/or standalone bridged with bbs) are not affected.
Users of the affected versions should go to http://www.nukephotogallery.com/modules.php?name=Forums and look for fixes there - they'll be posted as soon as they're available.

GauGau
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: sammyd28 on May 01, 2004, 05:45:33 pm
What is the easiest way to tell which version you have?
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: Casper on May 01, 2004, 05:49:18 pm
In config, it is at the top of the page.

If you are not running a cms, you should be running a standalone version.
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: Joachim Müller on May 01, 2004, 05:51:33 pm
well, if you're using phpNuke or postNuke, you should know that you're using it, as you will have had to set up nuke before setting up coppermine. If you have never heard about "nuke" stuff, you're using the standalone version. When visiting coppermine config, you should see which version number you are using, but since the vulnerabilities only apply to nuke versions, your standalone version number doesn't matter.

GauGau
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: sammyd28 on May 02, 2004, 07:28:12 am
So then: Coppermine Photo Gallery 1.2.1 is the standalone version and I should just relax, right?
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: Tarique Sani on May 02, 2004, 09:27:54 am
Right, CPG standalone(non CMS version) users can relax on this one...

CPG for CMS / Nuke users take a look here http://cpgnuke.com/index.php?name=Forums&file=viewtopic&t=341
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: gtroll on May 03, 2004, 11:31:23 pm
Coppermine Photo Gallery 1.2.1 could be coppermine for CMS but you would probably know if it was a nuke install- check and see if you have a file called mainfile.php in your home directory if so it's nuke
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: charlottezweb on June 04, 2004, 03:51:13 am
I apologize if this has been answered elsewhere, but I'm assuming this has nothing to do with a coppermine/YaBBSE integration?  If not, is there a known issue with that?  I've apparently had a weird issue tonight.

(i'll search the boards now, that might be smarter)  :)

Regards,
Jason
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: hyperion on June 04, 2004, 04:18:41 am
No, this does not have anything to do with YABBSE.
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: Joachim Müller on June 04, 2004, 07:51:03 am
...although there have been security issues with YaBB SE in the past - you're strongly recommended to apply all security fixes provided for YaBB SE and upgrade to the latest stable version of it (1.5.5), or even upgrade to smf.

GauGau
Title: Re: [Announcement]: Security vulnerabilities for CPGNUKE discovered
Post by: charlottezweb on June 04, 2004, 02:42:24 pm
...although there have been security issues with YaBB SE in the past - you're strongly recommended to apply all security fixes provided for YaBB SE and upgrade to the latest stable version of it (1.5.5), or even upgrade to smf.

GauGau

Oh, I know.  I've been installing it for years, but I don't think the problem was with YSE.  The site was on the latest 1.5.5 patch but it had an old version of a coppermine integration mod that was apparently compromised last night and I see that it's not even supported anymore on your forums.  So it looks like my SMF migration schedule for that particular site has been moved forward by a hell of a lot :)  I'm gonna try the latest coppermine integration that Jack (and yourself I'm assuming) ported tomorrow and hopefully save my gallery and all of its posts.

Thanks for your help,
Jason