pakolkifooter validation problem pakolkifooter validation problem
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

pakolkifooter validation problem

Started by tocumen, April 06, 2010, 10:16:44 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

tocumen

I had not validated my Coppermine pages in a long time.  When I tried validating yesterday, they were found to be invalid because of an inserted comment including the string "pakolkifooter".  The comment syntax was incorrect.  I searched the forum and found this unresolved thread on the same subject: http://forum.coppermine-gallery.net/index.php?topic=61994.0

I downloaded all files from my Coppermine installation and searched and searched and searched for the string "pakolkifooter".  It simply could not be found.  I kept struggling to try to figure out how this could be inserted.  Eventually, I found a rogue codebase.php that had been inserted into my albums directory.  Although I don't know PHP well enough to completely figure out what it was doing, I could tell that it was inserting an additional table into the Coppermine database and filling it with some base64 strings that apparently must be links.  It also includes code to somehow display those links, although I never saw them displayed in my gallery.

I have removed the rogue codebase.php file and have dropped the table that it inserted.  I've changed the mysql user and password.  I haven't found anything else out of the ordinary.

I'm not sure how the rogue codebase.php file got inserted into the albums directory.  I have two Coppermine installations on two completely different web hosts.  Both of them had the rogue codebase.php file in the albums directory and both had the same date/time stamp.  Because of further security concerns, I'm not including links to my galleries.  I wanted to pass this information along because I know that other Coppermine installations are still affected by the same problem.

Joe Carver

Your report would be much more valid if you at least stated what version of Coppermine you were running, when + where in the albums directory the file was placed and if you were allowing others to upload/ftp content.

Additionally you could have searched this forum and Google for that file's name.

By the way - just because you have removed one "rogue" file you should not be certain that you have sanitized your gallery - I suggest that you review this:

         Yikes, I've been hacked

tocumen

I'm running 1.4.26.  The date/time stamp on the rogue codebase.php file was February of 2009.  It apparently remained in place through more than one upgrade.  It was in the albums directory.  That's the location.  It was not in a subdirectory below that.  As the admin, I was the only user.  No one else was adding content.

I did search Google and the forum for codebase.php.  It's a standard file name for Coppermine plug-ins.  So there are multiple references to legitimate versions of codebase.php.  I did not find any references to this rogue version of codebase.php. 

I already reviewed Yikes in detail and have thoroughly scrutinized my sites.

Joachim Müller

Quote from: tocumen on April 06, 2010, 11:09:26 PM
It apparently remained in place through more than one upgrade. 
Certainly. The upgrade process doesn't delete files that never where part of the release. You have the wrong expectations of what the upgrade does.

Quote from: tocumen on April 06, 2010, 10:16:44 PMBecause of further security concerns, I'm not including links to my galleries.  I wanted to pass this information along because I know that other Coppermine installations are still affected by the same problem.
Thanks for your readiness to help. But I don't think that security by obscurity has ever really done the job right.

Sadly, you haven't posted enough details to make your posting qualify as an actual report of a payload of a hack. You shouldn't just have deleted the file that you think has caused issues, but you should have attached it here, telling us the exact path where it resided. Additionally, you should have told us what exactly was changed in the database (partial mySQL dump would have helped a lot). You haven't done as OVF-Frank did in the thread Validation issue with Coppermine link, nor do you appear to have read the thread "Gallery Overtaken! HELP!" that shows when performing a search for "pakolkifooter". Both users who reported similar issues to yours have been reluctant to upgrade. Their outdated gallery was hacked. They only started looking after it when it was too late. A payload that the victim only notices because it breaks the page output's validity in terms of HTML correctness is just a badly-written payload; the exploit of the same vulnerability that led to your gallery getting compromised in the first place could just as well have generated content that wouldn't habe broken the validation result, so you never would have noticed. This just shows the importance of keeping your gallery (or any other app) up-to-date, that's all.

tocumen

I am aware that the upgrade process essentially leaves the albums directory structure and contents alone.  My point was that the rogue file apparently had been in place there for a long time and I still had not noticed it even when upgrading.

I read the "Validation issue with Coppermine link" thread, which had no resolution.  I also read "Gallery Overtaken! HELP!" from which I found the reference to "Yikes", which I also went through in detail.  I also searched for, but did not find any procedures for reporting this kind of issue.

I am attaching the codebase.php that was found in ../albums/userpics/codebase.php.  I apologize to Joe Carver earlier because I thought it was in ../albums/codebase.php, but when I had the chance later to go back and review, I saw that it was actually ../albums/userpics/codebase.php.  You indicated that I should have previously attached it.  Because .php is not an allowed file type for attachments, I've added an extension of .txt.

Here is the mySQL dump of the table that was added:


--
-- Table structure for table `cpg143_temp_pictures`
--

CREATE TABLE IF NOT EXISTS `cpg143_temp_pictures` (
  `id` bigint(20) NOT NULL auto_increment,
  `item` varchar(255) NOT NULL,
  `value` text NOT NULL,
  KEY `id` (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;

--
-- Dumping data for table `cpg143_temp_pictures`
--

INSERT INTO `cpg143_temp_pictures` (`id`, `item`, `value`) VALUES
(1, 'footer', 'PCEtLS0gcGFrb2xraWZvb3RlciAtLS0+'),
(2, 'footer', 'PCEtLS0gcGFrb2xraWZvb3RlciAtLS0+'),
(3, 'footer', 'PCEtLS1jY2QxZjc1NGVhYjIyMmQ2YmJhNDkwOTYwOWZkNWM0Ny0tLT4='),
(4, 'footer', 'PCEtLS1jY2QxZjc1NGVhYjIyMmQ2YmJhNDkwOTYwOWZkNWM0Ny0tLT4='),
(5, 'footer', 'PCEtLS1jY2QxZjc1NGVhYjIyMmQ2YmJhNDkwOTYwOWZkNWM0Ny0tLT4='),
(6, 'footer', 'PCEtLS1jY2QxZjc1NGVhYjIyMmQ2YmJhNDkwOTYwOWZkNWM0Ny0tLT4=');

-- --------------------------------------------------------



The first two items in base64 decode as <--- pakolkifooter -->.  Because the string in base64, searches for "pakolkifooter" yielded no matches.  The last four items decode as the hash string found in the attached codebase.php.

My galleries are at 1.4.26.  I always upgrade as soon as new versions are released.