Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Best Practices for plugin security?  (Read 4382 times)

0 Members and 1 Guest are viewing this topic.

slausen

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 67
Best Practices for plugin security?
« on: April 13, 2008, 10:55:23 pm »

Hi-

I went through and pulled a list of plugins that I might want to make available in my gallery, but one thing that I am unclear about is the best practice for applying security to plugin functionality...

Is there a general way to, for example, restrict access to certain plugins to users in the Administrator group?

The stats plugin (Francois Keller 1.1.1 version) is a good example. It is a great plugin, but I would not want it to be available to non-Administrators. Some others in this category are File Replacer, onlinestats, Filetypes Editor, minicms. Is there a standard way to apply security to items in the plugins/ directory, so that they are only viewable/accessible/executable by Admins?

From a cursory reading of index.php and several plugins, it also seems like it may be possible for a logged in user to execute any installed plugin (either directly, since the 'plugins/' directory is at the cpg webroot or via the "file=" parameter appended to index.php)

If I am mistaken, it would be great to know. Also, if the best practice is not to run plugins in an environment where security is a concern, that would be good to know also. I guess for some plugins, I could disable them and remove the directories containing the files from the server and only enable them during maintenance and downtimes, but if there is a more straightforward solution, I would prefer that.

Thanks.
Logged

slausen

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 67
Re: Best Practices for plugin security?
« Reply #1 on: April 14, 2008, 12:27:06 am »

it also seems like it may be possible for a logged in user to execute any installed plugin (either directly, since the 'plugins/' directory is at the cpg webroot or via the "file=" parameter appended to index.php)


I was just doing some further testing on this, and have found that even after uninstalling (via the CPG Plugin UI) the stats plugin, I am still able to execute it by submitting the URL 'http://path/to/cpg_root/index.php?file=stats/stats' as an unprivileged (non-Admin, member of "Registered" group) user.

I checked the _plugins DB table and the stats plugin is no longer there.

I also logged out and logged back in - the Stats link vanished from the menu after the uninstall, but the direct URL submit appears to run the plugin even though it's no longer "installed"

In addition to this being a possible bug, it also seems like a security risk...
Logged

Nibbler

  • Guest
Re: Best Practices for plugin security?
« Reply #2 on: April 14, 2008, 12:39:58 am »

It's up to the plugin authors to secure them properly, however being able to access plugins after they have been uninstalled is probably a bug.
Logged

slausen

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 67
Re: Best Practices for plugin security?
« Reply #3 on: April 14, 2008, 02:08:11 am »

It's up to the plugin authors to secure them properly, however being able to access plugins after they have been uninstalled is probably a bug.

Thanks Nibbler, I think I will hold off on the plugins at the moment.
Logged

tfischer

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
    • Fischersplace Photo Gallery
Re: Best Practices for plugin security?
« Reply #4 on: April 14, 2008, 03:34:49 am »

MiniCMS works properly only in Admin mode (you can, of course, see the content as a non-admin user).  All the other plugins I use that should be admin-only work properly in that regard.  I've never used the stats plugin so I can't speak to that one, but I wouldn't let one plugin cloud your judgement of all of them -- as Nibbler said it's up the the plugin implementor to do things right.

-Tim
Logged
Pages: [1]   Go Up
 

Page created in 0.018 seconds with 19 queries.