Print

[Spaatz]

I just upgraded to 1.4.6 from 1.4.5 because I thought I was subjected to the security vulnerability discussed in previous threads as all of my albums and photos were deleted this morning.

Well, after putting it all back together, I ran a sitemaps scan of my site and low and behold, all of my albums and photos were once again deleted. 

It turns out that the sitemap generator was triggering some sort of delete command in my files.  Everthing in my album folder was deleted. 

My site is http://www.pphsreunion96.org/coppermine/

I have it open up for anyone to sign up and post pictures to public forums. 

Has anyone else run into this problem?

[Joachim Müller]

we won't go through registration just to be able to help you. Post a test user account.

[Spaatz]

Username:  Test
Password:  Test

I ended up restricting all access to the /coppermine/ directory in my robots.txt file.  It appears to be working thus far.

[Tranz]

How can the spiders get to delete the photos if we humans can't even see the gallery without logging in? Are you using a hack that allows spiders special access?

[Spaatz]

I haven't modified the software in any way shape or form.  The only thing I did was run a javascript based google sitemap generator on the site root (http://www.auditmypc.com/free-sitemap-generator.asp) so that the google webspider could crawl my site more effectively.  Once the javascript sitemap generator was finished - poof, everything gone!  I reinstalled everything and then the google webspider came along and once again, poof! 

The gallery is bridged with phpBB2 - latest version.

So, no special hacks.  Just the basic installation.

I'm wondering about the config files in this case.  They are configured to use my login and password for the whole site to access the SQL database.  Could the spider be drawing from this password and userid when it runs delete commands?

[Paver]

Delete is only allowed for Coppermine administrators.  Yes, the database login info is stored, but you still have to log in to Coppermine as an administrator using a non-stored username and password.  I don't understand how a sitemap generator or webspider can log in as an administrator unless you provided this information in the sitemap generator (I haven't looked at it yet to see how it works) or unless you added other users (like Registered or Guests) to the Administrators group - if that's possible - I have never considered such a thing.  Usually only one person is the administrator.

[Nibbler]

Logout before running the sitemap generator, it seems to be a clientside crawler.

[Spaatz]

Logout before running the sitemap generator, it seems to be a clientside crawler.

I think we have an answer.  I cannot check it until tonight but I believe that this is the correct answer.

[Spaatz]

I think we have an answer.  I cannot check it until tonight but I believe that this is the correct answer.

Got home to find that lightning had fried my cable modem.  Will check it again tonight. 

[Spaatz]

Logout before running the sitemap generator, it seems to be a clientside crawler.

We have a winner!   I ran a scan of the site after logging out and it didn't delete anything! 

Thanks for everyone's help!