Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Gallery is a big security hole and open relay?  (Read 15847 times)

0 Members and 1 Guest are viewing this topic.

Saubloed

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Gallery is a big security hole and open relay?
« on: October 20, 2003, 09:22:35 pm »

Maybe its one of the best galleries BUT:

- its by default an open relay because anonymous user can send emails
- emails dont contain non-fakeable information like sender IP
- passwords are stored in database as clear text
- dont work with safe_mode
- files in zip archives will never have the correct file permissions by default
- AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
- FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers

Come on - just look at the phpBB code:  passwords are stored with md5sum hases, it work with safe_mode, emails contain anti-abuse information, they release files also as tar.gz, they only use Javascript for things that are not important.

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
Logged

jasendorf

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 350
    • http://www.338tharmyband.com
Gallery is a big security hole and open relay?
« Reply #1 on: October 20, 2003, 09:43:07 pm »

Here's an idea... if you don't like it, don't use it.

Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL


Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it.  Here's your chance to show us all how your "theory" will work.
Logged
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Rodinou

  • Contributor
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 346
  • Tournicoti, Tournicota
    • http://www.sortons.net
Gallery is a big security hole and open relay?
« Reply #2 on: October 20, 2003, 10:47:17 pm »

Waouhhh your pic Signature is all my informations about me : congratulations :)

jasendorf

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 350
    • http://www.338tharmyband.com
Gallery is a big security hole and open relay?
« Reply #3 on: October 20, 2003, 10:55:17 pm »

Big deal... it's a simple magic trick... Your browser gives this information freely and it is not a security issue.  Don't let his little trick impress you... You want to see an impressive trick, click here.
Logged
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Gallery is a big security hole and open relay?
« Reply #4 on: October 20, 2003, 11:31:32 pm »

troll alert!
Although Saubloed (nomen es omen? for non-german speaking users: "saubloed"="thick as a brick") is right on some of his issues I'll have to make some statements, only to solve some misunderstandings:

Quote
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...
Quote
emails dont contain non-fakeable information like sender IP
I consider this as a feature request
Quote
passwords are stored in database as clear text
you're right on this - we're working on it...
Quote
dont work with safe_mode
not true, safe mode works fine; even with servers where safe mode is not configured properly you can use silly_safe_mode-settings
Quote
files in zip archives will never have the correct file permissions by default
true, but usually windows users (the majority of our users) will unzip it on their client using winzip or similar, so the advantages of a tarball will be gone. We released our files in a hurry (the original site chezgreg.net had gone down, so we didn't pack up everything as tarball).
Quote
AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
afaik the known security holes that have been an issue with cpg1.0 have been fixed in the files that are available for download
Quote
FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers
true, the faq need a re-work
Quote
...they only use Javascript for things that are not important
so does coppermine - the slideshow and the full-size pop-up aren't esential for coppermine to work
Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

GauGau
Logged

John

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
Gallery is a big security hole and open relay?
« Reply #5 on: October 20, 2003, 11:46:35 pm »

@Saubloed: :) Thank you for pointing out what the dev team allready knows.
Logged

EZ

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 130
Gallery is a big security hole and open relay?
« Reply #6 on: October 21, 2003, 12:00:58 am »

I think that counter-attacking isn't the way. We should take whatever relevant criticism is in the post for our benefit, and just ignore the rest.

Indeed the original poster may be just a troll, but on the other hand he may have intended to report some issues that he considers as flaws, and he just doesn't have the manners to do it right.

One way or another, if he made any useful comment then great for us, and for all the rest who cares.

EZ.
Logged

John

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
Gallery is a big security hole and open relay?
« Reply #7 on: October 21, 2003, 12:04:48 am »

@EZ: Agreed, I knew this before i posted, as they say "if not part of solution then part of problem" i will say no more.
Logged

Saubloed

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Gallery is a big security hole and open relay?
« Reply #8 on: October 21, 2003, 12:19:13 am »

Quote from: "gaugau"
Quote
its by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...


It IS and open relay. Since jasendorf say you can use it - do it:
http://www.338tharmyband.com/photo_gallery/ecard.php?album=2&pid=457&pos=0

Should i send you 1 million of emails or 10 or 10000?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Gallery is a big security hole and open relay?
« Reply #9 on: October 21, 2003, 12:19:21 am »

you're right - I just started trackers on these issues...

GauGau
Logged

Saubloed

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Gallery is a big security hole and open relay?
« Reply #10 on: October 21, 2003, 12:20:26 am »

Quote from: "Rodinou"
Waouhhh your pic Signature is all my informations about me : congratulations :)


Look at this website:
http://www.danasoft.com/
Logged

Saubloed

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Gallery is a big security hole and open relay?
« Reply #11 on: October 21, 2003, 12:34:23 am »

Quote from: "gaugau"
Quote
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:


Just imagine:
- there is a bug in a php scirpt
- you can get the password of the admin-user of the gallery and you probably have the loginpassword of FTP/SSH
- even if not -  you have the (encrypted) mysql password (and can crack it very fast if it is not long (<12 Characters)) and you  probably have the FTP/SSH login
- on the worst case there is a local root securityhole (ptrace bug)

My problem is just that i am a little Webhoster and i recognized that this script is a must have for some of my customers but it bring me gigantic problems.
Logged

John

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 75
Gallery is a big security hole and open relay?
« Reply #12 on: October 21, 2003, 12:39:13 am »

do you have or could you make some fixes for cpg ??
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Gallery is a big security hole and open relay?
« Reply #13 on: October 21, 2003, 12:40:04 am »

OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

GauGau
Logged

Saubloed

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Gallery is a big security hole and open relay?
« Reply #14 on: October 21, 2003, 12:42:24 am »

Quote from: "gaugau"
OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...


Ok thank you.
I also think anonymous ecards sending should be disabled until it is limited or contain anti-abuse information. I will report this as bug.
Logged

jasendorf

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 350
    • http://www.338tharmyband.com
Gallery is a big security hole and open relay?
« Reply #15 on: October 21, 2003, 01:18:26 am »

BTW, Saubloed, I still am waiting for you to break in to my "insecure" Coppermine Photo Gallery...

Or, perhaps you need me to "put the root password on every webpage" for you to be successful?


Come on big boy... show us what you got.  Either that or STFU.
Logged
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Gallery is a big security hole and open relay?
« Reply #16 on: October 21, 2003, 01:20:41 am »

hush, flame off, torch! 8)

GauGau
Logged

moorey

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 404
Re: Gallery is a big security hole and open relay?
« Reply #17 on: October 21, 2003, 03:20:34 am »

Quote from: "Saubloed"
The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL


I'd like to see you write your own secure gallery and come up with a different "cracy effekt".
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Gallery is a big security hole and open relay?
« Reply #18 on: October 21, 2003, 04:09:08 am »

Except for the fact that by default e-cards can be sent by anonymous users everything else - Yes even the passwords stored in clear text in MySQL - are comments of a troll who used cheap Microsoftish tricks to impress the naive.

Just spreading FUD - nuff said, back to work everyone.

BTW I have fixed the e-card sending defaults in CVS
Logged
SANIsoft PHP applications for E Biz

jasendorf

  • VIP
  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 350
    • http://www.338tharmyband.com
Gallery is a big security hole and open relay?
« Reply #19 on: October 21, 2003, 06:57:05 am »

BUWAHAHAHAHAHAHAHAHA

This moron just spammed my email box with 10 e-cards...  even though I specifically said:

Quote
Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it. Here's your chance to show us all how your "theory" will work.


No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).  But, I'm fairly certain my challenge was pretty clear.  You failed.  Now, trolly, go away.
Logged
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.
Pages: [1] 2   Go Up
 

Page created in 0.039 seconds with 21 queries.