forum.coppermine-gallery.net

No Support => General discussion (no support!) => Topic started by: Saubloed on October 20, 2003, 09:22:35 pm

Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 20, 2003, 09:22:35 pm
Maybe its one of the best galleries BUT:

- its by default an open relay because anonymous user can send emails
- emails dont contain non-fakeable information like sender IP
- passwords are stored in database as clear text
- dont work with safe_mode
- files in zip archives will never have the correct file permissions by default
- AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
- FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers

Come on - just look at the phpBB code:  passwords are stored with md5sum hases, it work with safe_mode, emails contain anti-abuse information, they release files also as tar.gz, they only use Javascript for things that are not important.

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
Title: Gallery is a big security hole and open relay?
Post by: jasendorf on October 20, 2003, 09:43:07 pm
Here's an idea... if you don't like it, don't use it.

Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL


Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it.  Here's your chance to show us all how your "theory" will work.
Title: Gallery is a big security hole and open relay?
Post by: Rodinou on October 20, 2003, 10:47:17 pm
Waouhhh your pic Signature is all my informations about me : congratulations :)
Title: Gallery is a big security hole and open relay?
Post by: jasendorf on October 20, 2003, 10:55:17 pm
Big deal... it's a simple magic trick... Your browser gives this information freely and it is not a security issue.  Don't let his little trick impress you... You want to see an impressive trick, click here (http://www.msnbc.com/news/981712.asp?0bl=-0).
Title: Gallery is a big security hole and open relay?
Post by: Joachim Müller on October 20, 2003, 11:31:32 pm
troll alert!
Although Saubloed (nomen es omen? for non-german speaking users: "saubloed"="thick as a brick") is right on some of his issues I'll have to make some statements, only to solve some misunderstandings:

Quote
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...
Quote
emails dont contain non-fakeable information like sender IP
I consider this as a feature request
Quote
passwords are stored in database as clear text
you're right on this - we're working on it...
Quote
dont work with safe_mode
not true, safe mode works fine; even with servers where safe mode is not configured properly you can use silly_safe_mode-settings
Quote
files in zip archives will never have the correct file permissions by default
true, but usually windows users (the majority of our users) will unzip it on their client using winzip or similar, so the advantages of a tarball will be gone. We released our files in a hurry (the original site chezgreg.net had gone down, so we didn't pack up everything as tarball).
Quote
AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
afaik the known security holes that have been an issue with cpg1.0 have been fixed in the files that are available for download
Quote
FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers
true, the faq need a re-work
Quote
...they only use Javascript for things that are not important
so does coppermine - the slideshow and the full-size pop-up aren't esential for coppermine to work
Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

GauGau
Title: Gallery is a big security hole and open relay?
Post by: John on October 20, 2003, 11:46:35 pm
@Saubloed: :) Thank you for pointing out what the dev team allready knows.
Title: Gallery is a big security hole and open relay?
Post by: EZ on October 21, 2003, 12:00:58 am
I think that counter-attacking isn't the way. We should take whatever relevant criticism is in the post for our benefit, and just ignore the rest.

Indeed the original poster may be just a troll, but on the other hand he may have intended to report some issues that he considers as flaws, and he just doesn't have the manners to do it right.

One way or another, if he made any useful comment then great for us, and for all the rest who cares.

EZ.
Title: Gallery is a big security hole and open relay?
Post by: John on October 21, 2003, 12:04:48 am
@EZ: Agreed, I knew this before i posted, as they say "if not part of solution then part of problem" i will say no more.
Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 21, 2003, 12:19:13 am
Quote from: "gaugau"
Quote
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...


It IS and open relay. Since jasendorf say you can use it - do it:
http://www.338tharmyband.com/photo_gallery/ecard.php?album=2&pid=457&pos=0

Should i send you 1 million of emails or 10 or 10000?
Title: Gallery is a big security hole and open relay?
Post by: Joachim Müller on October 21, 2003, 12:19:21 am
you're right - I just started trackers on these issues...

GauGau
Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 21, 2003, 12:20:26 am
Quote from: "Rodinou"
Waouhhh your pic Signature is all my informations about me : congratulations :)


Look at this website:
http://www.danasoft.com/
Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 21, 2003, 12:34:23 am
Quote from: "gaugau"
Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:


Just imagine:
- there is a bug in a php scirpt
- you can get the password of the admin-user of the gallery and you probably have the loginpassword of FTP/SSH
- even if not -  you have the (encrypted) mysql password (and can crack it very fast if it is not long (<12 Characters)) and you  probably have the FTP/SSH login
- on the worst case there is a local root securityhole (ptrace bug)

My problem is just that i am a little Webhoster and i recognized that this script is a must have for some of my customers but it bring me gigantic problems.
Title: Gallery is a big security hole and open relay?
Post by: John on October 21, 2003, 12:39:13 am
do you have or could you make some fixes for cpg ??
Title: Gallery is a big security hole and open relay?
Post by: Joachim Müller on October 21, 2003, 12:40:04 am
OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

GauGau
Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 21, 2003, 12:42:24 am
Quote from: "gaugau"
OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...


Ok thank you.
I also think anonymous ecards sending should be disabled until it is limited or contain anti-abuse information. I will report this as bug.
Title: Gallery is a big security hole and open relay?
Post by: jasendorf on October 21, 2003, 01:18:26 am
BTW, Saubloed, I still am waiting for you to break in to my "insecure" Coppermine Photo Gallery...

Or, perhaps you need me to "put the root password on every webpage" for you to be successful?


Come on big boy... show us what you got.  Either that or STFU.
Title: Gallery is a big security hole and open relay?
Post by: Joachim Müller on October 21, 2003, 01:20:41 am
hush, flame off, torch! 8)

GauGau
Title: Re: Gallery is a big security hole and open relay?
Post by: moorey on October 21, 2003, 03:20:34 am
Quote from: "Saubloed"
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL


I'd like to see you write your own secure gallery and come up with a different "cracy effekt".
Title: Gallery is a big security hole and open relay?
Post by: Tarique Sani on October 21, 2003, 04:09:08 am
Except for the fact that by default e-cards can be sent by anonymous users everything else - Yes even the passwords stored in clear text in MySQL - are comments of a troll who used cheap Microsoftish tricks to impress the naive.

Just spreading FUD - nuff said, back to work everyone.

BTW I have fixed the e-card sending defaults in CVS
Title: Gallery is a big security hole and open relay?
Post by: jasendorf on October 21, 2003, 06:57:05 am
BUWAHAHAHAHAHAHAHAHA

This moron just spammed my email box with 10 e-cards...  even though I specifically said:

Quote
Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it. Here's your chance to show us all how your "theory" will work.


No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).  But, I'm fairly certain my challenge was pretty clear.  You failed.  Now, trolly, go away.
Title: Gallery is a big security hole and open relay?
Post by: moorey on October 21, 2003, 08:36:20 am
JD, he has H4X0R3D j00 with 10 e-cards!!!!!

All your posts are belong to us!!
Title: Gallery is a big security hole and open relay?
Post by: rg on October 21, 2003, 02:52:19 pm
Hey,

(1)  It looks like GauGau is actually trying to work on some of the points brought up in this thread instead of just feuling the flame war.  I applaude that.

(2)  troll?

rg.
Title: Gallery is a big security hole and open relay?
Post by: jasendorf on October 21, 2003, 03:21:03 pm
(https://forum.coppermine-gallery.net/proxy.php?request=http%3A%2F%2Fwww.338tharmyband.com%2Fjasendorf%2Fe-card.jpg&hash=108934e457a5cad5df2024b5cb633c2a)


Oh, and BTW, just because I like taunting the troll doesn't mean I'm not committed to making CPG as secure as possible.  And, as I was trying to point out, it's not nearly as "insecure" as the original poster attempted to portray it as.
Title: Gallery is a big security hole and open relay?
Post by: Rodinou on October 21, 2003, 03:22:04 pm
troll = big monster you can see inside The Lord of The Ring :)
Title: Gallery is a big security hole and open relay?
Post by: Saubloed on October 21, 2003, 05:02:18 pm
Quote from: "jasendorf"
(...)
No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).


You dont know what an open relay is?  LOL

Quote
But, I'm fairly certain my challenge was pretty clear.


Open a own topic if you want a "challange". Maybe your are just unable to learn what "open relay" means.

And BTW  you lost the challange already in the past:
http://www.securityfocus.com/bid/7471
http://www.securityfocus.com/archive/1/317705
http://www.securityfocus.com/bid/7300

Quote
You failed.  Now, trolly, go away.


If you cant read my first message go back to scool.
Title: Gallery is a big security hole and open relay?
Post by: Tarique Sani on October 21, 2003, 05:07:53 pm
OK! Enough!!  I am locking this thread

@Saubloed - If you got so much of a problem with our software don't use it, this is Open Source the license itself states that it comes with no warranty

If you can help please do else we do not need your deridement