Security Breach? Security Breach?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Security Breach?

Started by qwaven, February 06, 2007, 04:52:57 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

qwaven

February 06, 2007, 04:52:57 AM Last Edit: February 12, 2007, 07:44:37 AM by GauGau
Hello,

A friend of mine showed me this video called "Local JPG shell Inclusion (LFI using php injected JPG)". So I am wondering if this is a) possible to do through coppermine and b) if so is there a way to prevent this? Such as disallow code execution from anything other than php files (not dont allow them to upload them).

See video here: http://milw0rm.org/video/watch.php?id=57
Website home page (in case link does not work): http://milw0rm.org

Please get back to me,
Thanks

qwaven

#1
February 06, 2007, 04:57:24 AM
Sorry typo!!!

This: Such as disallow code execution from anything other than php files (not dont allow them to upload them).

What meant to read:

Such as disallow code execution from anything other than php files (Dont allow them to upload them).

qwaven

#2
February 09, 2007, 08:50:25 AM
No one has anything for me?

Joachim Müller

#3
February 09, 2007, 09:01:55 AM
This is a matter of webserver setup, not an issue related to coppermine. The webserver should be set up to only parse files that are actually specified by extension. There is a flaw (or unproperly documented feature) of the Apache webserver that allows files with unknown extension to be parsed by the PHP interpreter. Subsequently, a file named some_evil_script.php.foo could contain malevolent PHP code and get executed if it gets on the server. Therefor, an app that allows uploads (like Coppermine) has to make sure that only valid files can get uploaded. This is being accomplished in Coppermine by renaming all dots but the last one in a file name with underscores during upload (the file in above example gets renamed to some_evil_script_php.foo), so no harm is being done. However, this is not related to the flaw you refered to in the first place. Not sure what to recommend. As I suggested above: it's a webserver issue, not a Coppermine issue.

qwaven

#4
February 10, 2007, 12:41:40 AM
Hmm I was thinking since the code would be originally executed/sent from coppermine since the 'abuser' would upload an image, and than click on the uploaded image to execute it. I was thinking that there would be something like 'do not pass *.jpg to php' ...

Anyway I'm sure you know more about this than I do. I was just trying to bring it to your attention in case it was something that could be fixed on your end.

Anyway as always keep up the great work!

Thank you for the reply :)

Nibbler

#5
February 10, 2007, 12:56:17 AM
When your web browser requests an image that has been uploaded to the gallery Coppermine is not involved in any way. The webserver should be configured to not treat the image as php code any more than code in a plain text document.

qwaven

#6
February 12, 2007, 12:42:43 AM
Hmm ok well thanks for the information :)
Print
Go Up Pages1
User actions