Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!  (Read 6672 times)

0 Members and 1 Guest are viewing this topic.

zapper

  • Coppermine newbie
  • Offline Offline
  • Posts: 1

Thanks for the patch. I just noticed someone uploaded a file called:

jpg.php.rar

which is a phpshell program that looks like it has access to the server filesystem and can execute abitrary commands.

Just looking into it now but here is some info on the php script:

http://www.mnin.org/write/2006_uploadscripts.html#Martin_Geislers_PhpShell_
« Last Edit: February 18, 2006, 09:59:12 pm by Nibbler »
Logged

Nibbler

  • Guest
Re: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #1 on: February 18, 2006, 11:02:01 pm »

If you don't need to allow .rar uploads then disallow them in Coppermine's config or with the filetypes plugin. If you do need to allow them then ensure they are treated correctly by your webserver by adding this line into the .htaccess file in your albums directory.

Code: [Select]
AddHandler application/x-rar .rar
Logged

auroramae

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #2 on: April 19, 2006, 05:55:24 pm »

Unfortunately I didn't block file types, my mistake.

My host  denied me access to my acount after someone uploaded the nstview script and used it to post an html file asking for personal financial information.    They said they removed the html file, but I looked over the directory and the original offending RAR was still there.    I noticed thumbs for 2 other rar files in the gallery. but the files don't exsit.  They all had different names.

I had my gallery set to ask admin approval for uploads from everyone so I am kind of stumped as to how they got the file on there in the first place.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #3 on: April 19, 2006, 08:41:51 pm »

the file gets stored on the server immediately on upload, only it's visibility within coppermine needs admin approval. You have to make sure that no executables get uploaded in the first place, admin approval won't help in this case.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #4 on: April 19, 2006, 10:25:58 pm »

split unrelated reply to this thread into separate one
Logged
Pages: [1]   Go Up
 

Page created in 0.018 seconds with 20 queries.