forum.coppermine-gallery.net
No Support => General discussion (no support!) => Topic started by: Saubloed on October 20, 2003, 09:22:35 pm
-
Maybe its one of the best galleries BUT:
- its by default an open relay because anonymous user can send emails
- emails dont contain non-fakeable information like sender IP
- passwords are stored in database as clear text
- dont work with safe_mode
- files in zip archives will never have the correct file permissions by default
- AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
- FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers
Come on - just look at the phpBB code: passwords are stored with md5sum hases, it work with safe_mode, emails contain anti-abuse information, they release files also as tar.gz, they only use Javascript for things that are not important.
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
-
Here's an idea... if you don't like it, don't use it.
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/
Upload a photo to it. Here's your chance to show us all how your "theory" will work.
-
Waouhhh your pic Signature is all my informations about me : congratulations :)
-
Big deal... it's a simple magic trick... Your browser gives this information freely and it is not a security issue. Don't let his little trick impress you... You want to see an impressive trick, click here (http://www.msnbc.com/news/981712.asp?0bl=-0).
-
troll alert!
Although Saubloed (nomen es omen? for non-german speaking users: "saubloed"="thick as a brick") is right on some of his issues I'll have to make some statements, only to solve some misunderstandings:
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...
emails dont contain non-fakeable information like sender IP
I consider this as a feature request
passwords are stored in database as clear text
you're right on this - we're working on it...
dont work with safe_mode
not true, safe mode works fine; even with servers where safe mode is not configured properly you can use silly_safe_mode-settings
files in zip archives will never have the correct file permissions by default
true, but usually windows users (the majority of our users) will unzip it on their client using winzip or similar, so the advantages of a tarball will be gone. We released our files in a hurry (the original site chezgreg.net had gone down, so we didn't pack up everything as tarball).
AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
afaik the known security holes that have been an issue with cpg1.0 have been fixed in the files that are available for download
FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers
true, the faq need a re-work
...they only use Javascript for things that are not important
so does coppermine - the slideshow and the full-size pop-up aren't esential for coppermine to work
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:
GauGau
-
@Saubloed: :) Thank you for pointing out what the dev team allready knows.
-
I think that counter-attacking isn't the way. We should take whatever relevant criticism is in the post for our benefit, and just ignore the rest.
Indeed the original poster may be just a troll, but on the other hand he may have intended to report some issues that he considers as flaws, and he just doesn't have the manners to do it right.
One way or another, if he made any useful comment then great for us, and for all the rest who cares.
EZ.
-
@EZ: Agreed, I knew this before i posted, as they say "if not part of solution then part of problem" i will say no more.
-
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...
It IS and open relay. Since jasendorf say you can use it - do it:
http://www.338tharmyband.com/photo_gallery/ecard.php?album=2&pid=457&pos=0
Should i send you 1 million of emails or 10 or 10000?
-
you're right - I just started trackers on these issues...
GauGau
-
Waouhhh your pic Signature is all my informations about me : congratulations :)
Look at this website:
http://www.danasoft.com/
-
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:
Just imagine:
- there is a bug in a php scirpt
- you can get the password of the admin-user of the gallery and you probably have the loginpassword of FTP/SSH
- even if not - you have the (encrypted) mysql password (and can crack it very fast if it is not long (<12 Characters)) and you probably have the FTP/SSH login
- on the worst case there is a local root securityhole (ptrace bug)
My problem is just that i am a little Webhoster and i recognized that this script is a must have for some of my customers but it bring me gigantic problems.
-
do you have or could you make some fixes for cpg ??
-
OK, so this all boils down to md5-encryption of the passwords in the database, right?
I started a tracker on this, let's see...
GauGau
-
OK, so this all boils down to md5-encryption of the passwords in the database, right?
I started a tracker on this, let's see...
Ok thank you.
I also think anonymous ecards sending should be disabled until it is limited or contain anti-abuse information. I will report this as bug.
-
BTW, Saubloed, I still am waiting for you to break in to my "insecure" Coppermine Photo Gallery...
Or, perhaps you need me to "put the root password on every webpage" for you to be successful?
Come on big boy... show us what you got. Either that or STFU.
-
hush, flame off, torch! 8)
GauGau
-
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
I'd like to see you write your own secure gallery and come up with a different "cracy effekt".
-
Except for the fact that by default e-cards can be sent by anonymous users everything else - Yes even the passwords stored in clear text in MySQL - are comments of a troll who used cheap Microsoftish tricks to impress the naive.
Just spreading FUD - nuff said, back to work everyone.
BTW I have fixed the e-card sending defaults in CVS
-
BUWAHAHAHAHAHAHAHAHA
This moron just spammed my email box with 10 e-cards... even though I specifically said:
Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/
Upload a photo to it. Here's your chance to show us all how your "theory" will work.
No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...). But, I'm fairly certain my challenge was pretty clear. You failed. Now, trolly, go away.
-
JD, he has H4X0R3D j00 with 10 e-cards!!!!!
All your posts are belong to us!!
-
Hey,
(1) It looks like GauGau is actually trying to work on some of the points brought up in this thread instead of just feuling the flame war. I applaude that.
(2) troll?
rg.
-
(https://forum.coppermine-gallery.net/proxy.php?request=http%3A%2F%2Fwww.338tharmyband.com%2Fjasendorf%2Fe-card.jpg&hash=097f6f228e4c3c133963d46414d42e5a5cfac359)
Oh, and BTW, just because I like taunting the troll doesn't mean I'm not committed to making CPG as secure as possible. And, as I was trying to point out, it's not nearly as "insecure" as the original poster attempted to portray it as.
-
troll = big monster you can see inside The Lord of The Ring :)
-
(...)
No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).
You dont know what an open relay is? LOL
But, I'm fairly certain my challenge was pretty clear.
Open a own topic if you want a "challange". Maybe your are just unable to learn what "open relay" means.
And BTW you lost the challange already in the past:
http://www.securityfocus.com/bid/7471
http://www.securityfocus.com/archive/1/317705
http://www.securityfocus.com/bid/7300
You failed. Now, trolly, go away.
If you cant read my first message go back to scool.
-
OK! Enough!! I am locking this thread
@Saubloed - If you got so much of a problem with our software don't use it, this is Open Source the license itself states that it comes with no warranty
If you can help please do else we do not need your deridement