Print

[anpaza]

Hello!

I've been using CPG 1.4.10 for long time, and was once hacked by some moron. I've analyzed the logs and found the bug which was used by that little prick to get in. Unfortunately, I haven't bothered to report it.

Now I decided to upgrade to latest 1.4.19, and guess what... the bug is still there.

So I took the time to report it.

I won't describe how the hack works in a naive attempt to prevent other sites hacked within a short time. The bug is in the function cpg_get_custom_include().

Here's just the fix (the CPG developers may find a better way to do it, I'm not a php programmer ever):

Code: [Select]

diff -urw cpg1410/include/functions.inc.php /var/www/html/photo/include/functions.inc.php
--- cpg1410/include/functions.inc.php   2006-10-29 22:56:50.000000000 +0300
+++ /var/www/html/photo/include/functions.inc.php   2008-04-11 00:59:47.000000000 +0400
@@ -2842,6 +2842,12 @@
     {
         return $return;
     }
+
+    // Check that the file is not user-writeable
+    // If we don't do this we're asking for troubles
+    if (posix_access ($path, POSIX_W_OK))
+        return $return;
+
     ob_start();
     include($path);
     $return = ob_get_contents();

Also another simple hint to avoid being hacked: change in include/init.inc.php define('COPPERMINE_VERSION'...) to some bogus version. This way, you'll avoid your site being found with a simple google search for vulnerable versions.

[Nibbler]

You can't search HTML comments using google AFAIK, and changing the version number will stop the version checker working properly.

If you have details of an actual security issue in the current 1.4.19 then PM me.

[anpaza]

Yes, but you can search for "Powered by Coppermine Gallery" first, and then look in html to find out which version is installed to choose an appropiate attack vector.

In 1.4.19 one would also have to remove the "<!-- SVN Version info" comments from every template.html file, since it also contains the version number.

The rest will go in a PM.