Important security issue 1.4.4 Important security issue 1.4.4
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Important security issue 1.4.4

Started by thejake420, March 27, 2006, 10:43:38 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

thejake420

Couldn't post to the appropriate forum, and couldn't find the tracker...?

I'm updated to 1.4.4 (actually 1.4.3, with the manual edits as instructed since I wanted to patch the issue before the 1.4.4 version was released.)

I don't want to post the contents of the "bad" file for obvious reasons, but a user was able to upload a file that granted them access to my server. I fixed the issue manually, but it's a potentially nasty one that appears to be able to give the user direct and basically unrestricted access to my server.

Uploaded file: image.php.rar (which I obviously deleted)

Checked my server just in case, and it's a good thing because I found .index.php in the userpics (note the dot before the filename).

Admin - Please contact me directly for a copy of the offending PHP file so that you can decide how best to deal with this.


My email is: thejake420
-------------------------------------
at the domain: dvdhelp.us


Jake

Nibbler

Please search the board for previous discussions on this issue.

thejake420

Quote from: Nibbler on March 27, 2006, 01:45:06 PM
Please search the board for previous discussions on this issue.
I did, and received 0 results for .index.php or image.php.rar (the offending files), keywords which I would imagine would be included in a discussion of an issue relating to these files. Do you have a link please?

I had already applied the hotfix, but was obviously still NOT safe from the vulnerability, hence the reason I saw fit to report it here, as there is clearly another way for this vulnerability to be exploited.


Jake


thejake420

Thank you. That was extremely helpful. (I did try searching... a lot. I just didn't find the threads above.)

Be aware that the hotfix did not completely dodge the vulnerability. (I have, of course, updated to 1.4.4 and added the appropriate .htaccess file, as well as sent a message explaining this server vulnerability to my host.)


Jake

Joachim Müller

updating to cpg1.4.4 doesn't fix this issue, nor does putting a .htaccess file. To fix this, do as suggested on the threads I refered to and disallow the upload of .rar files in coppermine's config.
As suggested, this is not a coppermine issue, but a webserver vulnerability - fiddling with coppermine only cures the symptoms, but not the cause.