Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW! Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!

Started by zapper, February 18, 2006, 08:05:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

zapper

Thanks for the patch. I just noticed someone uploaded a file called:

jpg.php.rar

which is a phpshell program that looks like it has access to the server filesystem and can execute abitrary commands.

Just looking into it now but here is some info on the php script:

http://www.mnin.org/write/2006_uploadscripts.html#Martin_Geislers_PhpShell_

Nibbler

If you don't need to allow .rar uploads then disallow them in Coppermine's config or with the filetypes plugin. If you do need to allow them then ensure they are treated correctly by your webserver by adding this line into the .htaccess file in your albums directory.

AddHandler application/x-rar .rar

auroramae

Unfortunately I didn't block file types, my mistake.

My host  denied me access to my acount after someone uploaded the nstview script and used it to post an html file asking for personal financial information.    They said they removed the html file, but I looked over the directory and the original offending RAR was still there.    I noticed thumbs for 2 other rar files in the gallery. but the files don't exsit.  They all had different names.

I had my gallery set to ask admin approval for uploads from everyone so I am kind of stumped as to how they got the file on there in the first place.

Joachim Müller

the file gets stored on the server immediately on upload, only it's visibility within coppermine needs admin approval. You have to make sure that no executables get uploaded in the first place, admin approval won't help in this case.

Joachim Müller