Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: small security problems  (Read 6136 times)

0 Members and 1 Guest are viewing this topic.

Andi

  • VIP
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 85
  • Join the Future
    • www.pragmamx.org
small security problems
« on: October 23, 2004, 07:07:02 pm »

Hi dev-Team :)

the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on  ;)


Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file


Additionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:
Code: [Select]
define('IN_COPPERMINE', true);
define('SEARCH_PHP', true);
Is this correct?
« Last Edit: October 24, 2004, 02:53:10 pm by GauGau »
Logged
hope, I could help you... :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: small security problems
« Reply #1 on: October 24, 2004, 02:52:50 pm »

the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on  ;)


Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file
Although there's little threat potential if an attacker tries to directly browse those files I added the line as you suggested.

Additionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:
Code: [Select]
define('IN_COPPERMINE', true);
define('SEARCH_PHP', true);
Is this correct?
Yes, this is correct: the definition just says what var inside the language file to use - to keep things simpler and avoid redundancy, I used the lang vars from search.php.

Joachim
Logged

Andi

  • VIP
  • Coppermine regular visitor
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 85
  • Join the Future
    • www.pragmamx.org
Re: small security problems
« Reply #2 on: October 24, 2004, 04:27:41 pm »

Hi Joachim :)
I believe that was a misunderstanding.
With the constant SEARCH_PHP i was irritated and not sure.
But is not correct with the constant IN_COPPERMINE somewhat.

Iin the new file version (keyword.inc.php,v 1.3 2004/10/24 12:49:42 gaugau)  are this 2 lines:

line #19 : define('IN_COPPERMINE', true);

line #22 : if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}

 ;) oh god my english...., sorry  :)
Logged
hope, I could help you... :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: small security problems
« Reply #3 on: October 25, 2004, 08:21:25 am »

you're right, that's a contradiction in terms. Both definitions are useless, I dropped them from the code.

Joachim
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 18 queries.