Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Closed]: Userpics not accessible  (Read 7943 times)

0 Members and 1 Guest are viewing this topic.

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
[Closed]: Userpics not accessible
« on: September 16, 2009, 01:35:35 pm »

Hi,
I took over administration of a galerie which seems do be kind of messed up.
There are only 2 registered user (1 and 4) both are administrators.
Both have uploaded pics via HTTP not knowing how to use FTP :-(
The uploaded pictures are on the server under albums/userpics/10001 and 10004
also there are the thumbnails.
Some of the pictures are visible in albums they were added to.
Now I want to do some cleaning up, add not yet added pictures to albums and
so on.
Problem is, neither using user 1 not user 4 (got both passwords) I can get access
to the pics. Using index.php?cat=10004 or index.php?cat=10001 both lead to the
"No files or no Access"-Page.
Checked all configuration entries and can't find a reason for this.
The files are also listed in the database pictures-table though according to the
ownername there user 1 changed his name in some point of time.

Anybody got an idea what to check next?

Ewald




« Last Edit: September 16, 2009, 05:23:58 pm by Joachim Müller »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Logged

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
Re: Userpics not accessible
« Reply #2 on: September 16, 2009, 03:45:02 pm »

http://forum.coppermine-gallery.net/index.php/topic,55415.msg270616.html#msg270616

Well I don't see what it might help to actually look at the galerie in this case but rules are rules so here you go:
http://gypsymc-gablingen.de/galerie

Oh and before I get the next default replay: I've already seen that the footer (powered by )isn't correct visible.
This will be restored with the new theme I already completed.
Logged

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
Re: Userpics not accessible
« Reply #3 on: September 16, 2009, 04:28:43 pm »

Additional Information:

I checked out the permissions on files and folders.
Folder userpics an its subfolders are set to 755 like all
other working folders are.
All files are set to 644.

Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1510
  • aka 'i-imagine'
    • Home Page
Re: Userpics not accessible
« Reply #4 on: September 16, 2009, 04:31:25 pm »

You need to upgrade before doing anything else.

<!--Coppermine Photo Gallery 1.4.9 (stable)-->

Is old and vulnerable.

onthepike

  • Guest
Re: Userpics not accessible
« Reply #5 on: September 16, 2009, 04:33:08 pm »

I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

I-Imagine has supplied you with update information.
Logged

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
Re: Userpics not accessible
« Reply #6 on: September 16, 2009, 05:01:18 pm »

You need to upgrade before doing anything else.

<!--Coppermine Photo Gallery 1.4.9 (stable)-->

Is old and vulnerable.

I will upgrade but I want to pic up all open strings before doing so.
Don't want to end up with mix of problems without knowing wether they
are from update or old administrator failures.
Logged

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
Re: Userpics not accessible
« Reply #7 on: September 16, 2009, 05:09:12 pm »

I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

I-Imagine has supplied you with update information.

Where did you get this information from?

I checked the album table, there ist no owner information included.
I checked the category table, all categories are set to owner_id 0 which, I supose, is public?
I checked the picture table, all pictures belong to users 0 or 4. Only the owner name for pics from user 1
is different from the actual username of user 1, but I know the name was changed shortly before I took over.

So could you please point me to the source of your information?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Userpics not accessible
« Reply #8 on: September 16, 2009, 05:23:15 pm »

Upgrading won't cure an already infected gallery. Do exactly as suggested in the Yikes thread on this very sub-board. Since you deliberatly hid the footer and since you seem to be aware of our policy not to support people who do so there's nothing left to say. Marking thread as "closed".
Logged

Ewald

  • Coppermine newbie
  • Offline Offline
  • Gender: Male
  • Posts: 10
Re: Userpics not accessible
« Reply #9 on: September 16, 2009, 05:41:11 pm »

Upgrading won't cure an already infected gallery. Do exactly as suggested in the Yikes thread on this very sub-board. Since you deliberatly hid the footer and since you seem to be aware of our policy not to support people who do so there's nothing left to say. Marking thread as "closed".

1. I didn't deliberatly hid the footer, this is the state of the theme i took over. I already stated this will be fixed in the new theme. I simply didn't want to mess arround with the old one anymore.
2. Just because someone in a forum I don't know states the galery is infected it doesn't have to be that way and if it realy is there should be shown where and how this information was found.
If there's a way to gain information about the galerie that's not in the documentation that's not what I would call a secure application. If it's a way that's standard on the net I'ld say its in
'public' interest to know about it.
3. 'till now I did all to give all informations needed and answer all questions needed to resolve this quest. A simple memo to fix the footer would've been enough. Your way to handle request in this forum is far beyond unpolite even for an open source project. If there where someone to report you to for your behavior I would do so.

Nothing left to say on my side now.

Logged

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1510
  • aka 'i-imagine'
    • Home Page
Re: Userpics not accessible
« Reply #10 on: September 16, 2009, 06:27:33 pm »

@ onthepike,

I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

Please, could you elaborate a bit?

[EDIT] It looks to be a function within functions.inc.php
       
Code: [Select]
{ //Categories other than 0 need to be selected
                if ($cat >= FIRST_USER_CAT)
                {
                    $user_name = get_username($cat - FIRST_USER_CAT);
                    if (!$user_name) $user_name = 'Mr. X';

How is that a sign of a hacked gallery? [/EDIT]
« Last Edit: September 16, 2009, 07:22:34 pm by i-imagine »
Logged

onthepike

  • Guest
Re: [Closed]: Userpics not accessible
« Reply #11 on: September 16, 2009, 07:25:09 pm »

Yes, I can. With an open apology as I had posted misinformatin at the expense of a most-likely non-infected gallery and innocent owner. In my over-zealousness to try and help, I posted information that at the time I believed to be true, however after researching my response via my own gallery and then the demo here on this site, I fast realized that "Mr X" is a part of CPG and not any indication of infection.

In short, an explanation as to why I had but two posts over the course of 6 months, then countless thereafter is due to my current personal situation that has me between surgeries and on heavy medication. It wasn't until I awoke one morning and found myself with "Tester" status and thought I ought to "do more". The problem is, I simply don't know enough to provide many of the responses I have, and so I apologize for them as well.

I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".

Again, my sincerest apologies to all.

73's
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Userpics not accessible
« Reply #12 on: September 16, 2009, 07:36:46 pm »

1. I didn't deliberatly hid the footer, this is the state of the theme i took over
That's an excuse. Someone hid the footer in that theme. It doesn't matter if that was you or someone else you got the theme from. It's part of the license that comes with coppermine (read up the documentation that comes with your package if you don't trust me) that says you mustn't edit it out..
I already stated this will be fixed in the new theme.
That is simply not acceptable. No visible, license compliant footer means no support. It's our choice who we support, not yours.

If there's a way to gain information about the galerie that's not in the documentation that's not what I would call a secure application. If it's a way that's standard on the net I'ld say its in
'public' interest to know about it.
The documentation contains information about the package releases and the reasons for the releases. Of course an old copy of the documentation can't contain information that didn't exist then. You should have checked here frequently. You could have subscribed to the notifications for new releases. That's what others do. You can't expect that every piece of information about an open source app is in the docs. Quite frankly: your attitude sucks! If you're not happy about the security impact, then stop using coppermine.

If there where someone to report you to for your behavior I would do so.
Sounds like you have a nice "Blockwart"-notion. Lovely.

Nothing left to say on my side now.
That's fine. Locking thread then.

Yes, I can. With an open apology as I had posted misinformatin at the expense of a most-likely non-infected gallery and innocent owner.
No need to apologize - you did your best, and it's quite likely that such an ancient version actually was hacked, even if you have interpreted something wrong.

 
I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".
Please don't quit. We're very fond of the support you provide.
Logged

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4850
    • Windsurf.me
Re: [Closed]: Userpics not accessible
« Reply #13 on: September 16, 2009, 08:04:21 pm »

I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".


I fully agree with Joachim. You have given some excellent advice and should keep it up. We all learn by our mistakes, especially me so I keep making them for that very reason ;).
Logged
It is a mistake to think you can solve any major problems just with potatoes.
Pages: [1]   Go Up
 

Page created in 0.025 seconds with 19 queries.