Authenticate? Authenticate?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Authenticate?

Started by sandramichelle, November 27, 2008, 02:27:17 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sandramichelle

When trying to change some configuration settings, I click on "save new configuration" and come to a screen that says "Authenticate" with a box for user name and password.  I put mine in, and it goes back to my home page and the changes have not been made.

Can anyone help me with fixing this, please?  I have looked through the forum but if this was touched on in a prior post, I couldn't locate it.

Thanks!

Nibbler

Can you post a screenshot of this? Doesn't sound like part of Coppermine to me.

lumo

HI, I've got the same problem since today!

Yesterday, I didn't see my Captcha Image anymore. I disabled Captcha via PHPAdmin in order to be able to login. Then I removed Captcha with the Coppermine Plugin manager. Now, when trying to make changes to my Coppermine settings, this "Authenticate" screen appears. And no changes are accepted.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww11.file-upload.net%2Fthumb%2F29.11.08%2Fmpdmk2.gif&hash=c36cbbd55fc7bfdef4e6c6f4a5c2d2f0a9c86170)

Please help!

lumo



Nibbler

Can you zip up your admin.php and attach it to this thread please. Is your gallery up to date?

lumo

I've just updated to last version.

Here's the admin.php:

http://www.file-upload.net/download-1284208/adminphp.zip.html

btw: How can I edit posts?

greetings
lumo


Nibbler

You can't edit posts. Please attach files to the thread instead of using some other website.

I wanted the version of admin.php that gives you this 'authenticate' box not the clean 1.4.19 version.

lumo

Sorry, I'm new here. This is the admin.php i downloaded from my Coppermine directory. Are there different admin.php in the directory?

How can I attach a file properly?

Cheers  ;)
lumo

lumo

Okay, I found out how to attach.

lumo

lumo

Hi Nibbler,

any idea what's the problem here?

Greetings
lumo

Nibbler

The attached file is the 1.4.19 version again. Do you actually have the original?

Could be some other script interfering (possibly accidentally), or a hack to steal admin passwords.

lumo

So then, would it be better to set up a whole new gallery and delete the old one, that is, make a new install rather than an update?

Concerning the admin.php, as I told you, I downloaded it directly from the coppermine folder (cpg148) on my webspace. I made the update to version 1.4.19 yesterday. So why are you astonished about the admin.php version?

I guess this is the only admin.php file which should be situated in the cpgxxx directory, isn't it?

lumo

Joachim Müller

You probably have been hacked before performing the upgrade - your issues sound familiar: read up http://forum.coppermine-gallery.net/index.php/topic,56516.msg276234.html#msg276234 - the user there reported the very same thing.
Please note that upgrading a gallery that already was hacked won't make the hack go away - you have to sanitize your entire webspace.

lumo

Hallo Joachim, danke für den Hinweis. Ich mach jetzt erst mal ein Backup von meinen htdocs.
Die Galerie kann ich nicht auf Wartungsmodus stellen, weil ich ja nichts verändern kann. Ich denke, ich werde von Grund auf alles neu aufbauen.

Hi Joachim, thanks for your hint. First, I'm going to make a backup of my htdoc files. I can't set the gallery into maintenance mode because of the (assumed) hack. I think I'll need to rebuild everything.  :'(

lumo

Joachim Müller

It doesn't hurt if you can't put the gallery into maintenance mode. Skip that step from the sanitization instructions - it is only meant to make sure that the content of your gallery doesn't change during sanitization because of users uploading images. Starting from scratch will not automatically sanitize your webspace. The attacker may have left behind a backdoor somewhere outside of the coppermine folder. I strongly suggest that you sanitize as suggested. Only English please on this part of the forum.

lumo

May I post my first results of sanitization?

  • "anycontent.php" is unchanged, although it was supposed to be. Maybe when updating to 1.4.19, I made the mistake of ovwerwriting the previous file.
  • in /docs/pics I've got a file named "bridge_02_app.gif" which should not be there
  • in /include I've got three unexpected files named "vote.php", "readme.txt" and "exifReader.inc.php". The "config.inc.php" was changed, I found a string of program code in it, beginning with:
<? /**/eval(base64_decode('aWY
    , my database acces data left at the end of the string.
    • in /logs I've got a surplus file named "security.log.php"

    I moved all the corrupted (?) files to a new folder before changing or deleting them.

    I replaced the messy content of config.inc.php with the text which was proposed by Joachim, and adding my data instead of the XXX placeholders.

<?php
// Coppermine configuration file

// MySQL configuration
$CONFIG['dbserver'] =                         'xxx';        // Your databaseserver
$CONFIG['dbuser'] =                         'xxx';        // Your mysql username
$CONFIG['dbpass'] =                         'xxx';                // Your mysql password
$CONFIG['dbname'] =                         'xxx';        // Your mysql database name


// MySQL TABLE NAMES PREFIX
$CONFIG['TABLE_PREFIX'] =                'xxxx';
?>


Would anyone be so kind (I know well that you are all very busy) and analyze the content of the messy config.inc.php in order to find out, what it does?

I'll continue, if I may.

Yours
lumo

lumo

I forgot one thing:

In the /include folder, "install.lock" was not empty. It contained the text "locked"

lumo

Report continued:


  • Removed suspicious files from server (look above)
  • replaced config.inc.php on server with "clean" version"
  • replaced install.lock on server with "clean" version"
  • made database update

Result: "Authenticate" screen still appears. Damn!

Then I did the following:

As I knew I had no plugins installed, but there were a lot of them (uninstalled ones) in my plugins folder (don't ask me how or when I got them ...), I decided to remove all of them.


  • Removed all uninstalled plugins with the pluginmgr.php
  • Tried to make changes in my config table
  • Success! No more "Authenticate" window opening, config changes are accepted.

So how to continue now?

Yours
lumo

lumo

Note:
Also the file "themes.php" in my customized "gray satin" theme was affected. At the beginning of the file, I found some code that should not be there. I replaced the file with an original version of "themes.php". Are you interested in the code that was smuggled in? Tell me, so I could post a screenshot.

Thank you very much, Joachim!

Joachim Müller

No thanks, the payload is unimportant for us, as it may differ on the next attack.