Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: [bug] File Inclusion and Command Execution (SA24019)  (Read 2531 times)

0 Members and 1 Guest are viewing this topic.

xerofun

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
[bug] File Inclusion and Command Execution (SA24019)
« on: March 30, 2007, 09:31:01 pm »

Didn't find this one in the bugs board and by searching throught the board. So if there's already a solution posted, sorry for the double post.

Checkout:
http://secunia.com/advisories/24019/

1) I fixed this by commenting out the "include($path)" in function cpg_get_custom_include in include/functions.inc.php because I'm sure I will never make use of this function. Definit solution might be to only allow to include files within the cpg installation directory or maybe even only within the themes directory? This concludes that the permissions of the cpg installation directory needs to be set correctly, so that no local user can put any files into any of the directories.

2) Fixed this by replacing every ; with \; in $CONFIG['im_options'] everytime it is used in include/imageObjectIM.class.php and
include/picmgmt.inc.php (see attached patch).

Hope this helps.

In case there's already a fix, sorry. Just remove the posting. ;)
« Last Edit: April 01, 2007, 02:49:18 pm by GauGau »
Logged

Nibbler

  • Guest
Re: [bug] File Inclusion and Command Execution (SA24019)
« Reply #1 on: March 30, 2007, 09:48:16 pm »

This has already been discussed. It's a non-issue. Only give admin rights to people you trust.
Logged
Pages: [1]   Go Up
 

Page created in 0.033 seconds with 19 queries.