Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Security issue with coppermine  (Read 4766 times)

0 Members and 1 Guest are viewing this topic.

PhilCowans

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Security issue with coppermine
« on: December 21, 2004, 11:10:44 am »

Files in the include subdirectory are installed with world writeable permissions. This is a serious vulnerability on multi-user systems, and has already caused problems on our server.

Phil
Logged

Casper

  • VIP
  • Coppermine addict
  • ***
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 5231
Re: Security issue with coppermine
« Reply #1 on: December 21, 2004, 11:36:54 am »

The include directory needs to be writable during the install, but after that it is not needed, so you can change the permissions.

We have had no reports of problems with security due to this before.  What issues have you had?
Logged
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

PhilCowans

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Security issue with coppermine
« Reply #2 on: December 21, 2004, 11:54:37 am »

That's not a solution - you cannot assume that users will change the permissions.

The problems were not directly related to coppermine - having obtained one account, the attacker used the world writable files to modify the website of another user.
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: Security issue with coppermine
« Reply #3 on: December 21, 2004, 01:15:15 pm »

@PhilCowans - yes you are right - the permissions for all the files in the zip are unduly permissive this usually is not a problem as most users ftp single file at a time rather than uploading the zip and unzipping it on the server.  What we really need is a gizpped tarball so that the permissions are retained as intended -  Will have it fixed ASAP - Thanks
« Last Edit: December 21, 2004, 01:58:58 pm by Tarique Sani »
Logged
SANIsoft PHP applications for E Biz

raummusik

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 30
Re: Security issue with coppermine
« Reply #4 on: December 22, 2004, 01:49:44 am »

yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :


http://forum.coppermine-gallery.net/index.php?topic=12803.0

damn it . ;)
Logged

CapriSkye

  • Translator
  • Coppermine frequent poster
  • **
  • Offline Offline
  • Posts: 126
    • 森林之原
Re: Security issue with coppermine
« Reply #5 on: December 22, 2004, 03:35:20 am »

i thought writable permission isn't a security hole  :-\\

http://www.simplemachines.org/community/index.php?topic=2987.0
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: Security issue with coppermine
« Reply #6 on: December 22, 2004, 04:44:18 am »

yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :
http://forum.coppermine-gallery.net/index.php?topic=12803.0

This worm is not exploiting the READ/WRITE issue - it is probably exploiting the serialise / unserialise bug in PHP version 4.3.9 and earlier - the correct solution to the problem is to have your host upgrade to PHP 4.3.10

As far as permissions in unzipped files go - that is the character of Zip files which by design DO NOT store permissions - thus if you unzip a zip file on your server its files (usually depending on the server config) will have permission 666 and the directories will have permission 777.

This will not be a problem if you unzip the file locally and upload it via FTP as most FTP clients will give sensible permissions.

Like I said earlier, however if there is to be something which can be uploaded on to the server as a single package and unzipped (untarred) then it has to be a gzipped/b2zipped tarball as tar files can retain original permissions

So the bottom line is

#1 Upgrade to PHP 4.3.10
#2 DO NOT use unzip on server blindly - either use an ftp client OR set permissions properly after unzipping
« Last Edit: December 22, 2004, 06:30:01 am by Tarique Sani »
Logged
SANIsoft PHP applications for E Biz
Pages: [1]   Go Up
 

Page created in 0.031 seconds with 19 queries.