Security Issue, Somehow user has Indexed my whole coppermine albums/ folder... Security Issue, Somehow user has Indexed my whole coppermine albums/ folder...
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security Issue, Somehow user has Indexed my whole coppermine albums/ folder...

Started by dke, July 19, 2007, 01:16:39 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

dke

Hi,

I don't know how he manage to index my albums/bilder folder but somehow he did. Using a browser trying to access it you will get premission denied all the way to the actuall picture. Im guessing that he went through coppermine somehow, as he was browsing it before he started just leeching the big pictures without accessing them through the gui.

Any known issues like this, and how can i prevent them from happening? I have far to big database to handle users ripping *.* of my content with a index rip program.

Ive banned hes ip in my fw since once its indexed, its nothing i can do about it.


dke

Sorry forgot to add that im using:

Coppermine 1.4.12
Windows XP
Apache 2.0.55 Configured properly using php5apache2_2.dll to interact with php
MYSQL 5.x only taking connections from localhost
PHP 5.2.3

Ive updated apache to 2.2.4 now..

Joachim Müller

I have no idea what you're talking about. How is this suppossed to be a security hole anyway?

dke

If user can access complete index of /albums/ he can easly use a program which rips the entire site without doing anything, and fully loading my site for several of hours!

Somehow he accessed the names of all files in albums/subdirectories which isn't possible to do just by pointing your browser to /albums/... (ive disabeled indexes for all folders in apache)

Only way i see this happening is to have some kind of knowledge how coppermine works using script to gather the data quickly.

Id say this is a security issue as it floods the site instantly when someone using "teleport ultra" ripping your'e entire site within hours (25gb of content)

But i'm not sure its a coppermine issue so im humbly asking for your expertise on the subject.

Joachim Müller

Offline copiers (like Httrack) are capable to leech your site entirely if you allow public access. Is this the case for you? Posting a link to your site might help for a start.

dke

Quote from: GauGau on July 20, 2007, 08:43:20 AM
Offline copiers (like Httrack) are capable to leech your site entirely if you allow public access. Is this the case for you? Posting a link to your site might help for a start.

Oh really? i did not know that.

One solution would be to use a script making guest users who aint logged in not having access to the high resolution pictures. However i need guests to have full access to certain albums and a script like that does not yet exist for coppermine in my knowledge..

Ill think over my approach letting all users have access to everything, i though the complicated gui of coppermine would make these "get page" programs fail.