Gallery is a big security hole and open relay?

[Saubloed]

Maybe its one of the best galleries BUT:

- its by default an open relay because anonymous user can send emails
- emails dont contain non-fakeable information like sender IP
- passwords are stored in database as clear text
- dont work with safe_mode
- files in zip archives will never have the correct file permissions by default
- AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
- FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers

Come on - just look at the phpBB code:  passwords are stored with md5sum hases, it work with safe_mode, emails contain anti-abuse information, they release files also as tar.gz, they only use Javascript for things that are not important.

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

[jasendorf]

Here's an idea... if you don't like it, don't use it.

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it.  Here's your chance to show us all how your "theory" will work.

[Rodinou]

Waouhhh your pic Signature is all my informations about me : congratulations

[jasendorf]

Big deal... it's a simple magic trick... Your browser gives this information freely and it is not a security issue.  Don't let his little trick impress you... You want to see an impressive trick, click here.

[Joachim Müller]

troll alert!
Although Saubloed (nomen es omen? for non-german speaking users: "saubloed"="thick as a brick") is right on some of his issues I'll have to make some statements, only to solve some misunderstandings:

its by default an open relay because anonymous user can send emails

we seem to have different definitions on the term "open relay"...

emails dont contain non-fakeable information like sender IP

I consider this as a feature request

passwords are stored in database as clear text

you're right on this - we're working on it...

dont work with safe_mode

not true, safe mode works fine; even with servers where safe mode is not configured properly you can use silly_safe_mode-settings

files in zip archives will never have the correct file permissions by default

true, but usually windows users (the majority of our users) will unzip it on their client using winzip or similar, so the advantages of a tarball will be gone. We released our files in a hurry (the original site chezgreg.net had gone down, so we didn't pack up everything as tarball).

AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)

afaik the known security holes that have been an issue with cpg1.0 have been fixed in the files that are available for download

FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers

true, the faq need a re-work

...they only use Javascript for things that are not important

so does coppermine - the slideshow and the full-size pop-up aren't esential for coppermine to work

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

GauGau

[John]

@Saubloed: Thank you for pointing out what the dev team allready knows.

[EZ]

I think that counter-attacking isn't the way. We should take whatever relevant criticism is in the post for our benefit, and just ignore the rest.

Indeed the original poster may be just a troll, but on the other hand he may have intended to report some issues that he considers as flaws, and he just doesn't have the manners to do it right.

One way or another, if he made any useful comment then great for us, and for all the rest who cares.

EZ.

[John]

@EZ: Agreed, I knew this before i posted, as they say "if not part of solution then part of problem" i will say no more.

[Saubloed]

its by default an open relay because anonymous user can send emails

we seem to have different definitions on the term "open relay"...

It IS and open relay. Since jasendorf say you can use it - do it:
http://www.338tharmyband.com/photo_gallery/ecard.php?album=2&pid=457&pos=0

Should i send you 1 million of emails or 10 or 10000?

[Joachim Müller]

you're right - I just started trackers on these issues...

GauGau

[Saubloed]

Waouhhh your pic Signature is all my informations about me : congratulations

Look at this website:
http://www.danasoft.com/

[Saubloed]

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

Just imagine:
- there is a bug in a php scirpt
- you can get the password of the admin-user of the gallery and you probably have the loginpassword of FTP/SSH
- even if not -  you have the (encrypted) mysql password (and can crack it very fast if it is not long (<12 Characters)) and you  probably have the FTP/SSH login
- on the worst case there is a local root securityhole (ptrace bug)

My problem is just that i am a little Webhoster and i recognized that this script is a must have for some of my customers but it bring me gigantic problems.

[John]

do you have or could you make some fixes for cpg ??

[Joachim Müller]

OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

GauGau

[Saubloed]

OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

Ok thank you.
I also think anonymous ecards sending should be disabled until it is limited or contain anti-abuse information. I will report this as bug.

[jasendorf]

BTW, Saubloed, I still am waiting for you to break in to my "insecure" Coppermine Photo Gallery...

Or, perhaps you need me to "put the root password on every webpage" for you to be successful?


Come on big boy... show us what you got.  Either that or STFU.

[Joachim Müller]

hush, flame off, torch!

GauGau

[moorey]

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

I'd like to see you write your own secure gallery and come up with a different "cracy effekt".

[Tarique Sani]

Except for the fact that by default e-cards can be sent by anonymous users everything else - Yes even the passwords stored in clear text in MySQL - are comments of a troll who used cheap Microsoftish tricks to impress the naive.

Just spreading FUD - nuff said, back to work everyone.

BTW I have fixed the e-card sending defaults in CVS

[jasendorf]

BUWAHAHAHAHAHAHAHAHA

This moron just spammed my email box with 10 e-cards...  even though I specifically said:

Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it. Here's your chance to show us all how your "theory" will work.

No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).  But, I'm fairly certain my challenge was pretty clear.  You failed.  Now, trolly, go away.