v132 security concern? v132 security concern?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

v132 security concern?

Started by TheKog, November 28, 2004, 07:10:17 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

TheKog

I hope I'm wrong but I'm worried about security problems since I have to make those 4 directories 777 (rwx world group and user). These directories are within public_html on a tylpical web server. What keeps someone from putting a malicious script or trojan in there and executing it?

I'm sure I'm missing something here.

Thanks,
Mike

Tranz

I don't think it is an issue or we would have actual reports of exploits. If your host allows it, you can use 755 instead, and instead of 666, use 644

kegobeer

What keeps a user from uploading a malicious script?  You do.  Only allow registered users of your Coppermine gallery to upload; keep it reserved to images, movies, and zip files; and keep tabs on your site.

Perhaps you don't understand how your webserver operates, but unless you give FTP access to someone, or you have a script that uploads files to your site, no one can put anything on your site.  I can't create a script, put it on my site, and then access your site and wreak havok (unless you have a very poorly managed server that allows that kind of access).

Like I said in your other post, there aren't any Coppermine security risks that we know of.  Script kiddies like to go after the Nuke sites because they are typically full of MySQL exploits and other holes.  The exploits that have been reported have nothing to do with Coppermine and everything to do with weak passwords and openings thru other people's websites that give an attacker root access to the entire server.

If you have a webserver that only allows uploads if you set permissions to 777, you should ask them to make the changes necessary or you should find yourself a different host IMO.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

TheKog

THank you kego -- I'm just making sure there's no way a sniffer can write a file behind my back so to speak. I don't mean to come off as an idiot, I am a systems programmer just haven't been working on UNIX-based servers much.

Joachim Müller

Recommended reading for all who are worried about 777 or 755 permissions: http://www.simplemachines.org/community/index.php?topic=2987.0

Joachim