Topic: small security problems (Read 6205 times)

Andi · « **on:** October 23, 2004, 07:07:02 pm »

Hi dev-Team

the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on

Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file

Additionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:

Code: [Select]

define('IN_COPPERMINE', true);
define('SEARCH_PHP', true);

Is this correct?

Joachim Müller · « **Reply #1 on:** October 24, 2004, 02:52:50 pm »

Quote from: Andi on October 23, 2004, 07:07:02 pm

the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on

Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file

Although there's little threat potential if an attacker tries to directly browse those files I added the line as you suggested.

Quote from: Andi on October 23, 2004, 07:07:02 pm

Additionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:
Code: [Select]
define('IN_COPPERMINE', true); define('SEARCH_PHP', true);Is this correct?

Yes, this is correct: the definition just says what var inside the language file to use - to keep things simpler and avoid redundancy, I used the lang vars from search.php.

Joachim

Andi · « **Reply #2 on:** October 24, 2004, 04:27:41 pm »

Hi Joachim

I believe that was a misunderstanding.
With the constant SEARCH_PHP i was irritated and not sure.
But is not correct with the constant IN_COPPERMINE somewhat.

Iin the new file version (keyword.inc.php,v 1.3 2004/10/24 12:49:42 gaugau) are this 2 lines:

line #19 : define('IN_COPPERMINE', true);

line #22 : if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}

oh god my english...., sorry

Joachim Müller · « **Reply #3 on:** October 25, 2004, 08:21:25 am »

you're right, that's a contradiction in terms. Both definitions are useless, I dropped them from the code.

Joachim

News:

Author Topic: small security problems (Read 6205 times)

Andi

small security problems

Joachim Müller

Re: small security problems

Andi

Re: small security problems

Joachim Müller

Re: small security problems