SiteMap Crawlers Delete All Photos SiteMap Crawlers Delete All Photos
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

SiteMap Crawlers Delete All Photos

Started by Spaatz, June 01, 2006, 04:19:29 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Spaatz

I just upgraded to 1.4.6 from 1.4.5 because I thought I was subjected to the security vulnerability discussed in previous threads as all of my albums and photos were deleted this morning.

Well, after putting it all back together, I ran a sitemaps scan of my site and low and behold, all of my albums and photos were once again deleted. 

It turns out that the sitemap generator was triggering some sort of delete command in my files.  Everthing in my album folder was deleted. 

My site is http://www.pphsreunion96.org/coppermine/

I have it open up for anyone to sign up and post pictures to public forums. 

Has anyone else run into this problem?

Joachim Müller

we won't go through registration just to be able to help you. Post a test user account.

Spaatz

Username:  Test
Password:  Test

I ended up restricting all access to the /coppermine/ directory in my robots.txt file.  It appears to be working thus far.


Tranz

How can the spiders get to delete the photos if we humans can't even see the gallery without logging in? Are you using a hack that allows spiders special access?

Spaatz

I haven't modified the software in any way shape or form.  The only thing I did was run a javascript based google sitemap generator on the site root (http://www.auditmypc.com/free-sitemap-generator.asp) so that the google webspider could crawl my site more effectively.  Once the javascript sitemap generator was finished - poof, everything gone!  I reinstalled everything and then the google webspider came along and once again, poof! 

The gallery is bridged with phpBB2 - latest version.

So, no special hacks.  Just the basic installation.

I'm wondering about the config files in this case.  They are configured to use my login and password for the whole site to access the SQL database.  Could the spider be drawing from this password and userid when it runs delete commands?


Paver

Delete is only allowed for Coppermine administrators.  Yes, the database login info is stored, but you still have to log in to Coppermine as an administrator using a non-stored username and password.  I don't understand how a sitemap generator or webspider can log in as an administrator unless you provided this information in the sitemap generator (I haven't looked at it yet to see how it works) or unless you added other users (like Registered or Guests) to the Administrators group - if that's possible - I have never considered such a thing.  Usually only one person is the administrator.

Nibbler

Logout before running the sitemap generator, it seems to be a clientside crawler.

Spaatz

Quote from: Nibbler on June 01, 2006, 05:24:34 PM
Logout before running the sitemap generator, it seems to be a clientside crawler.

I think we have an answer.  I cannot check it until tonight but I believe that this is the correct answer.

Spaatz

Quote from: Spaatz on June 01, 2006, 07:26:21 PM
I think we have an answer.  I cannot check it until tonight but I believe that this is the correct answer.

Got home to find that lightning had fried my cable modem.  Will check it again tonight. 

Spaatz

Quote from: Nibbler on June 01, 2006, 05:24:34 PM
Logout before running the sitemap generator, it seems to be a clientside crawler.

We have a winner!   I ran a scan of the site after logging out and it didn't delete anything! 

Thanks for everyone's help!