$_COOKIE[] has that odd key d8682f36c2ce20f4bc180127fb9b7677 and need to figure $_COOKIE[] has that odd key d8682f36c2ce20f4bc180127fb9b7677 and need to figure
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

$_COOKIE[] has that odd key d8682f36c2ce20f4bc180127fb9b7677 and need to figure

Started by AWJunkies, March 21, 2006, 10:28:56 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

AWJunkies

$_COOKIE[] has that odd  key d8682f36c2ce20f4bc180127fb9b7677 and need to figure out how that fits into 1.4.3. Please admin and programers of the program contact me about this. This is not to solve how to hack into accounts with the loop hole in 1.3.5 etc. This is to make the JUpload MOD work for 1.4.3. I need to pass 2 variables to the program and this is where I am snagged up. I need to be able to get access to some info off that code or off of a cookie to be able to link it with JUpload (username and password). This will stay confidential and not be spread anywhere. Or if you can take a look at the JUpload MOD 1.4.3 stuff and solve the issue it is with cookies and sending username and password over.

Joachim Müller

set your own cookie then. A mod mustn't intefere with core code.

Nibbler

look at bridge/coppermine.inc.php - that handles all the auth when coppermine is unbridged.

AWJunkies

I don't want to show actual code and cookie info to show a leak.

If nibbler you can PM me about this. A lot of people want this JUpload MOD it is a must have in my opinion when I upload 500 photos at a time for each event we have which is 1-2 events a day. You may say then use ftp etc or batch add in admin panel. Well not only me but users have taken that many as well. They need an easier way to upload those couple hundred pics then 10 at a time. Thanks so much for the quick response guys.

I am so close to getting this done and have had a few other programers take a look at the coding and it all comes down to solving the cookie issue. Thanks again Nibbler and GuaGua for your help.


AWJunkies

Ok I just figured out what you guys are doing within code about sessions and cookies. I didn't actually get why you where doing the hook for but know realize why and so on and so forth. I am working to make it work with a programer right now. Will let you know what we come up with.

guice

#5
Okay, now for some technical questions. ;)
I'm assisting AWJunkies in this conversion of JUpload (albeit remotely so much of what I found out/tested is second hand).

The issue we're seeing is that the sessions isn't correctly being reinstantiated when JUpload uploads the images, which makes complete sense since each upload transaction is down through the Java piece w/out the original cookie. To get around this JUpload crypts the current _COOKIE[] data and sends it across as a _GET parameter.

In 1.3.5, HTTP_COOKIE_VARS contained the _uid, _pass and _data of the cookie. This worked since it also contained both the _uid and _pass which allowed JUpload to just plug in a few values to make it work across the board. However, in 1.4.3/4 _COOKIE[] no longer contains the _user and _pass fields.

Was _user and _pass entered by the CopperMine script itself? I don't see where this would have been added by JUpload from looking at the old 1.3.5 install instructions.

Now, tracing back and doing some code dumps of data, I'm trying to figure out how we can get the session reinstanciated w/out making much/any modifications to the CopperMine code itself.

In 1.3.5, when I decrypted the cookie that JUpload got using $cookieEnc = base64_encode(serialize($HTTP_COOKIE_VARS)); I got the following values:
Array
(
    [cpg133_data] => klEIj7czoxOO30zYDE0c0WY5YSnOTU3ZjY5NjI6tjZoYmYyOiJhbITU5tzOjMyOiI52ZiII7aNDNjdjYToyxOWMTY2N=
    [cpg133_uid] => 3
    [cpg133_pass] => 902c6ca51933f3532e50e77b31aebafc
)


However, in 1.4.3, it's different, same line $cookieEnc = base64_encode(serialize($_COOKIE));  Different output:
Array
(
    [cd86eb178b708127f36c62fb2479c20f] => 4943a6889a7b9c0203db5466f6927760
    [cpg143_data] => klEIjtzOjMyOiI2NzOjI6I0YiI7czoyOiWI4Q0MGM6aXNoIjhbSI7aToxO3RlOTkzWM3YmZlNjIYTuZyNNDoibGFzQ5YJ2Z2I7mdsozOntMzc1czo3OiJlbMDUt9
)


We're trying to figure out what that odd array key is....and what it's value is. Is that some kind of cryptic session handling that CM is using? Is there a way to use cookie_extraction() to our advantage to decrypt/use that odd session key to properly restore the session to allow JUpload to work properly?

I'm thinking, just looking over code (unable to fully test myself) that it's possible to use $this->client_id within cookie_extraction(), right? If so, is that odd key the client_id and the value the password? If that's the case then, things are solved. If not, then we're back at the start.

PS: All data as be shuffled to prevent decryption or attempts to gain insight as to what the real values are.

guice

Quotelook at bridge/coppermine.inc.php - that handles all the auth when coppermine is unbridged.
Okay, maybe I should have read over this file a bit before my original post. Okay... i think I'm seeing what it's doing. The key is the client_id. Sessonid is a contatination of the sessioncookie (the odd key's value) and the client_id. Making the sessionid a pretty long string. ^_^

I have to ask then. Why is it when we've populate _COOKIE[] ourselves with the above data, session_extraction still doesn't work? We populating cookie, manually, in the wrong place? I believe AWJunkie was populating _COOKIE at the top of the upload file. Told him, in a final attempt yesterday, to put if ( isset($_GET['coookie'] ) { $_COOKIE = unserialize(base64_decode($_GET['cookie'])); } at the beginning of the file, to simulate the _COOKIE actually getting set by PHP from the browser. He informed he it didn't work. Why? Everything I see says this should have worked.

AWJunkies

I did not know you ment the upload.php file. I thought you ment functions file. It still does not work with it at the top of the upload.php page

// Confirm we are in Coppermine and set the language blocks.
define('IN_COPPERMINE', true);
define('UPLOAD_PHP', true);
define('DB_INPUT_PHP', true);
define('ADMIN_PHP', true);

// Call basic functions, etc.
require('include/init.inc.php');
require('include/picmgmt.inc.php');

// Some placeholders.
$customize = CUSTOMIZE_UPLOAD_FORM;
$user_form = USER_UPLOAD_FORM;
$allowed_URI_boxes = NUM_URI_BOXES;
$allowed_file_boxes = NUM_FILE_BOXES;

// Check to see if user can upload pictures.  Quit with an error if he cannot.
if (!USER_CAN_UPLOAD_PICTURES) {
    cpg_die(ERROR, $lang_errors['perm_denied'], __FILE__, __LINE__);
}

// Globalize $CONFIG.
global $CONFIG, $lang_upload_php, $user_form, $max_file_size;

if (isset($_GET['coookie'])) {
$_COOKIE = unserialize(base64_decode($_GET['cookie']));
}


That is what I have within upload.php at the top. Hit me up guice.

AWJunkies

Well I just noticed you did above code wrong it should look like this:

if (isset($_GET['cookie'])) {
$_COOKIE = unserialize(base64_decode($_GET['cookie']));
}


not:
if ( isset($_GET['coookie'] ) { $_COOKIE = unserialize(base64_decode($_GET['cookie'])); }

Missing ) at the beginning of if statement as well as three ooo for cookie in if statement testing again to see if it works.

It still did not work. Help please :)

I tried this in functions as well with no luck as well as changed ' ' to " " for cookie still nothing. Any please jump in and try to help.


AWJunkies


AWJunkies

// Confirm we are in Coppermine and set the language blocks.
define('IN_COPPERMINE', true);
define('UPLOAD_PHP', true);
define('DB_INPUT_PHP', true);
define('ADMIN_PHP', true);

if (isset($_GET["cookie"])) {
$_COOKIE = unserialize(base64_decode($_GET["cookie"]));
}

// Call basic functions, etc.
require('include/init.inc.php');
require('include/picmgmt.inc.php');

// Some placeholders.
$customize = CUSTOMIZE_UPLOAD_FORM;
$user_form = USER_UPLOAD_FORM;
$allowed_URI_boxes = NUM_URI_BOXES;
$allowed_file_boxes = NUM_FILE_BOXES;

// Check to see if user can upload pictures.  Quit with an error if he cannot.
if (!USER_CAN_UPLOAD_PICTURES) {
    cpg_die(ERROR, $lang_errors['perm_denied'], __FILE__, __LINE__);
}

// Globalize $CONFIG.
global $CONFIG, $lang_upload_php, $user_form, $max_file_size;


I did that and still doesn't work.

tried :

if (isset($_GET['cookie'])) {
   $_COOKIE = unserialize(base64_decode($_GET['cookie']));
}

AWJunkies

I have tried a lot of different things but with no sucess. please help.

AWJunkies

I DID IT! Fully functional JUpload MOD on coppermine! WOOT WOOT. Was messing around with it all day today since 8am and finaly with guice's help I got it to work! I will be testing all weekend and go live on monday with it. If there are no issues at all I will post up the necisary edits and share it with the coppermine comunity.

Can't thank Guice enough for making me understand how everything was working so I could figure a way to make it work.