Security issue with coppermine Security issue with coppermine
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security issue with coppermine

Started by PhilCowans, December 21, 2004, 11:10:44 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

PhilCowans

December 21, 2004, 11:10:44 AM
Files in the include subdirectory are installed with world writeable permissions. This is a serious vulnerability on multi-user systems, and has already caused problems on our server.

Phil

Casper

#1
December 21, 2004, 11:36:54 AM
The include directory needs to be writable during the install, but after that it is not needed, so you can change the permissions.

We have had no reports of problems with security due to this before.  What issues have you had?
It has been a long time now since I did my little bit here, and have done no coding or any other such stuff since. I'm back to being a noob here

PhilCowans

#2
December 21, 2004, 11:54:37 AM
That's not a solution - you cannot assume that users will change the permissions.

The problems were not directly related to coppermine - having obtained one account, the attacker used the world writable files to modify the website of another user.

Tarique Sani

#3
December 21, 2004, 01:15:15 PM Last Edit: December 21, 2004, 01:58:58 PM by Tarique Sani
@PhilCowans - yes you are right - the permissions for all the files in the zip are unduly permissive this usually is not a problem as most users ftp single file at a time rather than uploading the zip and unzipping it on the server.  What we really need is a gizpped tarball so that the permissions are retained as intended -  Will have it fixed ASAP - Thanks
SANIsoft PHP applications for E Biz

raummusik

#4
December 22, 2004, 01:49:44 AM
yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :


http://forum.coppermine-gallery.net/index.php?topic=12803.0

damn it . ;)

CapriSkye

#5
December 22, 2004, 03:35:20 AM
i thought writable permission isn't a security hole  :-\\

http://www.simplemachines.org/community/index.php?topic=2987.0

Tarique Sani

#6
December 22, 2004, 04:44:18 AM Last Edit: December 22, 2004, 06:30:01 AM by Tarique Sani
Quote from: raummusik on December 22, 2004, 01:49:44 AM
yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :
http://forum.coppermine-gallery.net/index.php?topic=12803.0

This worm is not exploiting the READ/WRITE issue - it is probably exploiting the serialise / unserialise bug in PHP version 4.3.9 and earlier - the correct solution to the problem is to have your host upgrade to PHP 4.3.10

As far as permissions in unzipped files go - that is the character of Zip files which by design DO NOT store permissions - thus if you unzip a zip file on your server its files (usually depending on the server config) will have permission 666 and the directories will have permission 777.

This will not be a problem if you unzip the file locally and upload it via FTP as most FTP clients will give sensible permissions.

Like I said earlier, however if there is to be something which can be uploaded on to the server as a single package and unzipped (untarred) then it has to be a gzipped/b2zipped tarball as tar files can retain original permissions

So the bottom line is

#1 Upgrade to PHP 4.3.10
#2 DO NOT use unzip on server blindly - either use an ftp client OR set permissions properly after unzipping
SANIsoft PHP applications for E Biz
Print
Go Up Pages1
User actions