security hole in CPG security hole in CPG
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

security hole in CPG

Started by anpaza, September 21, 2008, 08:29:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

anpaza

Hello!

I've been using CPG 1.4.10 for long time, and was once hacked by some moron. I've analyzed the logs and found the bug which was used by that little prick to get in. Unfortunately, I haven't bothered to report it.

Now I decided to upgrade to latest 1.4.19, and guess what... the bug is still there.

So I took the time to report it.

I won't describe how the hack works in a naive attempt to prevent other sites hacked within a short time. The bug is in the function cpg_get_custom_include().

Here's just the fix (the CPG developers may find a better way to do it, I'm not a php programmer ever):

diff -urw cpg1410/include/functions.inc.php /var/www/html/photo/include/functions.inc.php
--- cpg1410/include/functions.inc.php   2006-10-29 22:56:50.000000000 +0300
+++ /var/www/html/photo/include/functions.inc.php   2008-04-11 00:59:47.000000000 +0400
@@ -2842,6 +2842,12 @@
     {
         return $return;
     }
+
+    // Check that the file is not user-writeable
+    // If we don't do this we're asking for troubles
+    if (posix_access ($path, POSIX_W_OK))
+        return $return;
+
     ob_start();
     include($path);
     $return = ob_get_contents();


Also another simple hint to avoid being hacked: change in include/init.inc.php define('COPPERMINE_VERSION'...) to some bogus version. This way, you'll avoid your site being found with a simple google search for vulnerable versions.

Nibbler

You can't search HTML comments using google AFAIK, and changing the version number will stop the version checker working properly.

If you have details of an actual security issue in the current 1.4.19 then PM me.

anpaza

Yes, but you can search for "Powered by Coppermine Gallery" first, and then look in html to find out which version is installed to choose an appropiate attack vector.

In 1.4.19 one would also have to remove the "<!-- SVN Version info" comments from every template.html file, since it also contains the version number.

The rest will go in a PM.