Re: Security issues in Coppermine 1.3.3?

[Nibbler]

You can usually adjust permissions using your FTP client. The exact setting depends on how your server is setup. The filetypes that are enabled by default are safe, it is not a good idea to allow uploads of any type of script than can run on your server or html files.

[Joachim Müller]

they're a mild security risk if your server isn't set up good enough. The background is: if folders are group writable, users who have an account on the same server as yours (i.e. if they are with the same webhost as you), they could insert malicious code to your webspace. Users accessing from the internet (without being hosted on the server) can't benefit from "group writable". If your webhost has set up the webserver savely (i.e. shielded the user accounts against each other), then there is no security risk at all. Just CHMOD the folders that are being shown in versioncheck.php as writable to be non-writable, then check if your coppermine gallery still works as expected - and you should be fine.

HTH

[Anhinga]

The folders weren't actually group writeable--the only mode that had write access to them was "user".  But I've turned that off anyway, and the gallery still seems to work.

I didn't do this for the SMF theme folder though, because I'd like to be able to continue customizing this theme, and it seems as though disabling write access for "user" mode on this folder would prevent me from continuing to edit the files in it.  I'm hoping that the security risk for user mode having write access to this folder is negligible.  Is that correct?

[Joachim Müller]

if the webserver isn't set up in a very silly way, then yes.