Advanced search  


cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.

Pages: [1]   Go Down

Author Topic: Database Info. Security Concerns - cpmFetch - install.php -  (Read 3192 times)

0 Members and 1 Guest are viewing this topic.

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1539
  • aka 'i-imagine'
    • Home Page
Database Info. Security Concerns - cpmFetch - install.php -
« on: November 11, 2009, 03:03:45 pm »

The installation file for cpmFetch will list the contents of the db Config settings to anyone that runs it.

Installation has no restrictions on who can run it. Sensitive cpg information (db name and passwrod) don't appear, however there are rows that look to display Bridging db information.

Without too much more to go on, I would recommend that the file cpmfetch/install.php be deleted after you have installed cpmfetch.

Copied from (someone's) install.php
Code: [Select]
BRIDGE: short_name:
BRIDGE: license_number:
BRIDGE: db_database_name:
BRIDGE: db_hostname:
BRIDGE: db_username:
BRIDGE: db_password:
BRIDGE: full_forum_url:
BRIDGE: relative_path_of_forum_from_webroot:
BRIDGE: relative_path_to_config_file:
BRIDGE: logout_flag:
BRIDGE: use_post_based_groups:
BRIDGE: cookie_prefix:
BRIDGE: table_prefix:
BRIDGE: user_table:
BRIDGE: session_table:

I have tried a quick test with SMF2.0 bridged to a cpg1.4.25 test gallery and have re-run cpmFetch install.php. It returned/displayed only the value for BRIDGE: short_name:.

I would still recommend deleting install.php fom the cpmfetch folder after a successful installation

« Last Edit: November 11, 2009, 06:38:57 pm by i-imagine »
Pages: [1]   Go Up

Page created in 0.022 seconds with 21 queries.