Database Info. Security Concerns - cpmFetch - install.php - Database Info. Security Concerns - cpmFetch - install.php -
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Database Info. Security Concerns - cpmFetch - install.php -

Started by Joe Carver, November 11, 2009, 03:03:45 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Joe Carver

November 11, 2009, 03:03:45 PM Last Edit: November 11, 2009, 06:38:57 PM by i-imagine
The installation file for cpmFetch will list the contents of the db Config settings to anyone that runs it.

Installation has no restrictions on who can run it. Sensitive cpg information (db name and passwrod) don't appear, however there are rows that look to display Bridging db information.

Without too much more to go on, I would recommend that the file cpmfetch/install.php be deleted after you have installed cpmfetch.

Copied from (someone's) install.php
Code Select
BRIDGE: short_name:
BRIDGE: license_number:
BRIDGE: db_database_name:
BRIDGE: db_hostname:
BRIDGE: db_username:
BRIDGE: db_password:
BRIDGE: full_forum_url:
BRIDGE: relative_path_of_forum_from_webroot:
BRIDGE: relative_path_to_config_file:
BRIDGE: logout_flag:
BRIDGE: use_post_based_groups:
BRIDGE: cookie_prefix:
BRIDGE: table_prefix:
BRIDGE: user_table:
BRIDGE: session_table:



[EDIT]
I have tried a quick test with SMF2.0 bridged to a cpg1.4.25 test gallery and have re-run cpmFetch install.php. It returned/displayed only the value for BRIDGE: short_name:.

I would still recommend deleting install.php fom the cpmfetch folder after a successful installation
[/EDIT]

Print
Go Up Pages1
User actions