password hack ? password hack ?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

password hack ?

Started by bean, July 19, 2004, 11:39:03 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bean

Hi
Just installed Coppermine and just 2 days after someone mailed me my username and password for the admin login !?!?!?!
Is there a security risk in the script or do I have set something wrong? I need to find the security hole or I have to find another gallery.
Can somebody help ?
http://www.butts.dk/forum/files/thumbs/gallery/index.php

Tarique Sani

#1
1) Who was it - someone who knows you?
2) What other PHP programs are you running on your server - is anyone of them vulnerable
3) Yes Coppermine stores username and passwords in MySQL DB but we are not currently aware of any Coppermine exploits which will reveal username password
SANIsoft PHP applications for E Biz

Joachim Müller

There's no exploit for coppermine standalone as far as I know, but the hack could have come from other places as well: if an intruder manages to gain access to your database (e.g. if you have installed phpMyAdmin or similar and not password protected the whole phpMaAdmin folder), your website is broken, and all passwords are available for him. Another attack variant that is possible is the classic "man in the middle" or some trojan on your pc (keybaord-logging). If your account data are trivial, as brute force attack might be plausible as well. Consult your webserver logs on this issue.
Since there are various places where the attacker might have succeeded breaking into your webserver without coppermine core code being the culprit necessarily, it's hard to advise anything. Please provide more details on the email you received that contained your login data.

The reason that there are no known security holes in coppermine standalone doesn't mean that there actually are none, but it's very likely that other methods were used. I'm not trying to block your question by saying "that's impossible" - there could always be some hidden security flaw. Please post additional information.

GauGau

bean

LOL - my mistake !I think. I got the mail in german, so i didn't quite understand it. But it seems some had try to get the password by using the "Forgot you password" script and type my admin name in the box. Then I got this mail about my password and I freaked out :-) I hope that was the case here.

Tarique Sani

Most likely you are not using version 1.3.1 - that mail is supposed to be in the primary language of the site....
SANIsoft PHP applications for E Biz

bean

Yep, I just tried to use the german language and use the "I forgot my password" script. I got the same mail as before from the gallery telling me my username and password. Phew, you have no idea how much that freaked me out - LOL  ;D

bean

No, Im using version 1.3 since it says it's the stable one. Is 1.31 just as stable ?

Tarique Sani

Version 1.3.1 is supposed to be the latest stable release

@Moorey / Gaugau - we really need to update the website :)
SANIsoft PHP applications for E Biz

bean

Ok thanks. Installed 1.31 now but I still get other language in my mail when people are using another language. The board is set to english.
But not a big problem since I now know what to expect.

Joachim Müller

moorey doesn't react to my mailings - I filed a support request at sf.net, asking them to transfer ownership of the whole page to me. I will update is as soon as they react.

GauGau

omniscientdeveloper

This was a problem with ecards too, I think. I solved it by using the cpg_get_default_lang_var() function. This will return the language set in config, unless it's overided like in the fallback file.


-omni