Search Results

#1

Announcements / Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability

May 19, 2006, 09:28:04 PM by Joachim Müller

......  minor issues. It takes care as well of the ".rar"-exploit (that actually isn't a Coppermine bug,  ............  suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues  ............ , you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc. ............  the last "valid" extension in the filename (rar exploit): replace all  * dots in the filename  ......

#2

cpg1.3.x Support / HOTFIX for Apache's RAR/PHP Vulnerability - IMPORTANT!

June 11, 2006, 07:00:56 AM by Paver

......  is a very serious vulnerability in the Apache webserver that is actually a " ............  breach, the current one being the "Apache RAR Exploit". Your Coppermine gallery and any other  ............  to abuse unless each application addresses this vulnerability/feature of Apache's processing of PHP files.   ............  about it here: Coppermine-driven galleries hit by RAR exploit  Coppermine 1.4.6 was the first release  ............  release CPG1.4.6 protects against Apache's .rar vulnerability  You are strongly recommended to  ............  of your gallery to the currently popular "RAR Exploit", which allows someone to inject code  ......

#3

Announcements / Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability

June 09, 2006, 11:27:43 PM by Paver

......  version, it's also about protecting against the .rar vulnerability. 2. The "hotfix" doesn't apply to 1. ......

#4

cpg1.4 miscellaneous / *.php.rar = big problem

August 01, 2006, 08:09:06 PM by mopieo

...... (i.e. pages that have fallen victim to the xxx.php.rar exploit). It will only keep sites that haven't  ......

#5

Announcements / Re: Coppermine-driven galleries hit by RAR exploit

December 01, 2006, 11:47:21 AM by AndrewRH

......  the suggestion to contact my ISP regarding this vulnerability. After convincing them it was not a purely  ............ 're correct in stating that files with the .php.rar extension are >parsed as PHP files, and that your  ............  these files executed as PHP. > >This is not a vulnerability on our part. If you allow users to upload >files  ......

#6

cpg1.4 bridging / Re: Bridging with phpbb 2.0.20 (Redux)

June 02, 2006, 09:14:35 AM by Joachim Müller

......  release CPG1.4.6 that protects against Apache's .rar vulnerability" patch as well) You do not have  ......

#7

cpg1.4 miscellaneous / xxx.php.rar exploit question

September 25, 2006, 07:12:59 PM by wmaster

......  with the apache bug which allows the xxx.php.rar exploit.  However, someone recently tried this  ............  on one of my websites. I installed the test.php.rar file to see if my webserver was vulnerable AND IT  ............  attempt failed, is because the user upload the rar file as a guest which did not immediately make  ............  user simply registered, and uploaded the xxx.php.rar file, he/she would have been able to tell what  ............  path to the .rar file was, and executed it.  So how did the 1.4.6  ............  logs dont show anyone actually executing any rar files, but these logs may have been spoofed as  ......

#8

Announcements / Re: [Help wanted]: Translations for CPG1.4.x

January 21, 2006, 06:38:28 AM by Joachim Müller

......  on January 21, 2006, 04:19:50 AMCan you allow RAR upload on this board. RAR compression is much  ............ !I won't, as there are issues with rar vulnerabilities that could compromise the  ............  has a packing utility that can decompress rar archives, so we go for the agreed standard, which  ......

#9

cpg1.4 miscellaneous / Re: How bad is the file ly_php.rar

September 20, 2007, 09:36:03 AM by Joachim Müller

......  harm. The original uploader tried to exploit a vulnerability in Apache that was not sanitized in previous  ............  of coppermine. The original file was named ly.php.rar (notice the dot), which would have posed a risk  ......

#10

cpg1.4 miscellaneous / Re: hackers (?) creating ads

May 05, 2006, 09:23:30 PM by Joachim Müller

......  sure you haven't fallen victim to the rar vulnerability (not an actual coppermine issue,  ............  misconfiguration issue) - search the board for "rar". Impossible to say for sure without details.  ......

#11

cpg1.4 upload / Re: Important security issue 1.4.4

March 28, 2006, 09:47:02 AM by Joachim Müller

......  threads I refered to and disallow the upload of .rar files in coppermine's config. As suggested, this  ............  not a coppermine issue, but a webserver vulnerability - fiddling with coppermine only cures the  ......

#12

cpg1.3 Miscellaneous / Re: My Coppermine Site Sent out Spamming Email. How?

May 13, 2006, 07:26:00 AM by Joachim Müller

...... . Make sure that you have not fallen vistim to the rar vulnerability (a webserver vulnerabilty, not a  ......

#13

cpg1.4 upload / Re: 1.4.5, still hit by rar exploit

May 09, 2006, 08:00:25 AM by Joachim Müller

...... : this is a webserver vulnerability issue that will affect all applications that have  ............  in a way that doesn't allow PHP files to pose as rar files - files having the rar extension are not  ............  does not affect the capability of users to upload rar files, so there's little use in changing it from " ............  that tells users to patch their apps against a vulnerability that shouldn't exist in the first place and that  ............  release that patches security issues is not the rar vulnerability, but the imei bug that allows a  ......

#14

cpg1.4 miscellaneous / Re: Malicious RAR

July 19, 2007, 08:11:48 AM by Joachim Müller

......  Donnoman suggested this is a webserver-vulnerability (or rather, a misdocumented feature). The so- ............  "rar"-explot has been taken care of some time ago.  ............  in the thread "Coppermine-driven galleries hit by RAR exploit" and "Maintenance release CPG1.4.6  ............  against Apache's .rar vulnerability" ......

#15

cpg1.4 miscellaneous / Re: Possible security hack?

August 10, 2007, 10:29:47 AM by Joachim Müller

......  rar vulnerability has been fixed long time ago - as  ............ , the malicious uploader tried to exploit the vulnerability that existed in previous versions without taking  ............  version that is immune against the apache vulnerability. To be absolutely sure that everything is fine,  ............  a deep link to the uploaded file. Read up the rar vulnerability discussion for details. ......

#16

cpg1.4 miscellaneous / Re: Running a perl script through coppermine possible ?

May 25, 2007, 03:23:20 PM by Joachim Müller

......  if you allow all kinds of file types like .rar and .zip someone can slip something past you like  ............ .php.rar.Has been adressed in cpg1.4.9. Malevolent users  ............  longer can use this apache vulnerability to execute script files that way. Please review  ......

#17

cpg1.3 Permissions & Access Rights / Re: Hacker on my Gallery

July 08, 2006, 09:33:01 AM by Joachim Müller

......  make sure that your gallery is safe against the rar vulnerability, upgrade to the most recent version  ......

#18

cpg1.4 upgrading / Re: Hacker on my Gallery part 2

July 22, 2006, 06:08:17 PM by LACA Rio

......  were right. I uploaded a test "php.rar" and after run it, I can read "Oops, my webserver  ......

#19

cpg1.4 miscellaneous / Re: upload.php exploit

April 11, 2006, 10:30:49 AM by Joachim Müller

...... . Blind guess: you have fallen victim to the rar vulnerability that exists on outdated apache  ............  is not related to coppermine, but a webserver vulnerability. Read the threads that deal with it: http://forum. ............ -gallery.net/index.php?action=search2;search=rar If this vulnerability doesn't apply for you,  ......

#20

cpg1.4 permissions / Re: Prenting File Types

March 23, 2006, 09:29:42 AM by Joachim Müller

......  webhost to fix his server - the attacker used a vulnerability that exists on Apache webserver setups that aren' ............  aren't meant to parse files with the extension ".rar" with the PHP processor. Your server is  ............  improperly - it doesn't treat ".rar" files and document files, but parses PHP  ............  in it. By not allowing the upload of .rar files using coppermine, you just keep future  ............  as well that your webhost fixes the server setup vulnerability. Contact them asap, asking them to do as advised  ............  to do then. I'm convinced they will, as the said vulnerability will not only have an impact on your domain, but  ......

#21

cpg1.4 upload / Re: Vulnerability? Had shell uploaded through upload.php

June 17, 2006, 10:34:09 AM by Sami

......  1.4.6 , gallery is protected against Apache's .rar vulnerability - This file uploaded ,before you  ......

#22

cpg1.4 miscellaneous / Re: How can I increase security levels in gallery?

December 19, 2006, 09:46:02 AM by Joachim Müller

......  an Apache flaw that allowed files named foo.php.rar to be parsed as PHP files. This flaw has been  ......

#23

cpg1.4 upgrading / Re: Upgrading to 1.4.10 from 1.4.3 What's to gain?

November 17, 2006, 08:14:54 AM by Joachim Müller

......  {Nibbler} 2006-10-28 [ S ] Removing SQL injection vulnerability {Nibbler} 2006-10-27 [ M ] Removing unused file  ............  the last "valid" extension in the filename (rar exploit): replace all dots in the filename except  ............ } 2006-04-21 [ S ] Fixed remote file inclusion vulnerability {GauGau} 2006-04-10 [ M ] Re-added config.php and  ......