Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [bug] File Inclusion and Command Execution (SA24019)  (Read 2357 times)

0 Members and 1 Guest are viewing this topic.

xerofun

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
[bug] File Inclusion and Command Execution (SA24019)
« on: March 30, 2007, 09:31:01 pm »

Didn't find this one in the bugs board and by searching throught the board. So if there's already a solution posted, sorry for the double post.

Checkout:
http://secunia.com/advisories/24019/

1) I fixed this by commenting out the "include($path)" in function cpg_get_custom_include in include/functions.inc.php because I'm sure I will never make use of this function. Definit solution might be to only allow to include files within the cpg installation directory or maybe even only within the themes directory? This concludes that the permissions of the cpg installation directory needs to be set correctly, so that no local user can put any files into any of the directories.

2) Fixed this by replacing every ; with \; in $CONFIG['im_options'] everytime it is used in include/imageObjectIM.class.php and
include/picmgmt.inc.php (see attached patch).

Hope this helps.

In case there's already a fix, sorry. Just remove the posting. ;)
« Last Edit: April 01, 2007, 02:49:18 pm by GauGau »
Logged

Nibbler

  • Guest
Re: [bug] File Inclusion and Command Execution (SA24019)
« Reply #1 on: March 30, 2007, 09:48:16 pm »

This has already been discussed. It's a non-issue. Only give admin rights to people you trust.
Logged
Pages: [1]   Go Up
 

Page created in 0.018 seconds with 19 queries.