security issues

[jadejade]

I have your latest 1.4.2 stable coppermine installed... updated from previous versions that I have been using over the last 4 years or so.... and btw....i love the new features.....
Recently some malicious individuals have been targeting me to hack... my webhost keeps insisting that the coppermine script is the culprit that allows such individuals into my account. Can this really be the case?....and if so... what advice can you give me to plug the hole.

[Joachim Müller]

what did they actually do? Make sure that your admin account doesn't have a trivial, weak password. Make sure that you dissalow anonymous users to do anything except view the pages. Enable hotlink protection or an anti-leech script. You'll have to post more details of what exactly happened for a more thorough advice.

[jadejade]

It's just a stupid malicious person or persons , who is somehow managing to upload either a php script..in to the root directory effectively replacing the index page, or embeding a pop-up spmewhere in the index pages to cause the browser to shut down.... I can usually fix it....but when I asked my webhost how they were getting in they said it must be through coppermine,  because I installed it and they are secure.....my passwords have been changed each time this has happened.... and they are not weak.... but it continues.....every time I ask them how they get in   my webhost says coppermine.... are they just passing the buck?

how do I do what you suggest to the coppermine?... although I have used it a long time... I am not really very savvy as to how to get to all the configuration features, and I really don't know php scripting....I will need a move by move description of how to do this.

I have set the users to the few people I know well and actually at this point disallowed anyone from registering....but perhaps that is not enough.

[kegobeer]

Ask to see the server logs for the times in question.  You may be able to match the ip address to whoever is doing it, then you can ban that/those members.

To help stop this, configure your gallery to only allow several image types.  Go to your config page, look for "Files and thumbnails advanced settings".  Change "Allowed image types" to jpg/jpeg/gif, then remove "ALL" from Allowed document types, Allowed movie types, and Allowed audio types.  You should also approve all uploads, and don't allow anonymous guests to upload to your gallery.

[Abbas Ali]

Any file uploaded using coppermine always goes in "albums" directory which is in coppermine root directory. That malicious user (if using coppermine) cannot upload the file to the root directory because coppermine does not support this (Unless you have some kind of mod which does so).

imo its something else and not coppermine since the file is being uploaded to root directory.  Also does the uploaded file is shown in coppermine? I mean in any album of coppermine? If no, then certainly coppermine is not responsible for that.


Abbas

[Joachim Müller]

there's a known webserver security hole (mark you, not a coppermine issue, but a webserver issue) that allows the execution of php scripts posing as real audio or rar files that might have been used as backdoor. Scan the whole albums folder for files that match the pattern "*.ra*". If you find any, get rid of them (you may want to back them up before for forensic reasons).

[jadejade]

guys thank you so much for your help and suggestions....as you can imagine this has been irritating to say the least.

I have confined my registered users to personally known individuals... and prohibited any new registrations... as I mostly upload jpgs...I have no problem in restricting the file types..


I had a feeling it wasn't coppermine that was a fault. I couldn't imagine how they could use it to get the website index page..and I have never had any problem with coppermine in the past

but please  tell me more about the .ra files... in which directories should I be looking....coppermine directories only or throughout the website?

[Joachim Müller]

initially the albums folder within the coppermine folder, but the attacker may have left other backdoors on your webspace in other folders as well, so I suggest you FTP-download all files from your webserver and then scan the local copy completely. If you have shell access, you can skip the downloading and scan for the file pattern directly on your webserver.
Another possible attack method may be related to your webspace not being shielded well enough against other users on the same server. If you can (i.e. if uploading still works for you with this setting), CHMOD the albums folder to 755 instead of 777. Blind guessing only though.
Your webhost should really be a bit more cooperative, I suggest you're right in suspecting that they're "passing the buck" by blaming coppermine. Ask them for the webserver logs (well, the section that deals with your webspace and the time during which your site got defaced). Do you have any other php-driven apps on your page btw?

[donnoman]

Just FYI, albums is NOT the ONLY place uploaded files can be placed by coppermine. They can be uploaded to the plugins directory and zips unpacked.

However the user needs to be an admin in coppermine in order to use the form that uploads the archive.

[donnoman]

if you know when the rogue script placed the files (ie look at date and time of the offending script files) then get the http log for that time period (at least an hour before and after).  PM it to me so I can take a look at it.

It's also possible its not your site that the infection is actually penetrating through.  There have been some forum vulnerabilities coupled with weak server configurations that have resulted in similar circumstances from somebody ELSES hosted account on the same server.

[stadiumwear]

Hi!
I hope I am writting in the good topic.
I had the problem mentioned above also.
Somebody was uploading . rar archives in my public album. Even if I didn't  allowed them, by the time I got online to delete them, they were sending spam emails(that's what the webhosting firm told me).
The third time the firm where I have the webhosting told me they closed my hosting account, so I had to delete the public album.

Here is what the firm told me about the error:

albums/userpics/.userpics
> [root@web2 .userpics]# ls -la  total 84  drwxr-xr-x    3 httpd   
> httpd        4096 Mar 17 12:18 .  drwxrwxrwx   20 stadiumw stadiumw
> 49152 Apr  5 00:27 ..  -r--r--r--    1 httpd    httpd          17
> Dec 22  2004 foot.php  -r--r--r--    1 httpd    httpd         179
> Dec 22  2004 head.php  drwxr-xr-x    2 httpd    httpd        4096
> Mar 17 12:18 images  -r--r--r--    1 httpd    httpd        5611 Dec
> 22  2004 index.php  -rw-r--r--    1 httpd    httpd        3176 Mar
> 17 12:18 index.tar.gz  -r--r--r--    1 httpd    httpd        1901
> Dec 22  2004 install.txt  -r--r--r--    1 httpd    httpd         239
> Dec 22  2004
>  mysql.info.php


Now I'm thinking of disallowing all other files except jpeg/bmp/tif/gif so that nobody can upload rar archives. What do I have to write to the fields where it says "all"- I should leave them blank or should I write"none"?

Thanks a lot and I hope this doesn't happen to you!

[Stramm]

cpg 1.4.5 uses as default for allowed document types (instead ALL)
doc/txt/rtf/pdf/xls/pps/ppt/zip/gz/mdb

or leave blank to disallow all