coppermine-gallery.com/forum

Hi dev-Team :)

the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on  ;)


Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file


Additionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:
define('IN_COPPERMINE', true);
define('SEARCH_PHP', true);
Is this correct?

Quote from: Andi on October 23, 2004, 07:07:02 PM
the following files can be called directly and displays some error messages (full path disclosure):

include/search.inc.php,v 1.9 2004/09/30 22:30:38 nibbler999
include/plugin_api.inc.php,v 1.10 2004/09/04 00:40:22 kegobeer
include/picmgmt.inc.php,v 1.26 2004/10/22 09:36:39 caspershadow
include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau
include/media.functions.inc.php,v 1.8 2004/09/25 19:09:44 caspershadow
include/langfallback.inc.php,v 1.8 2004/10/05 11:54:01 adityamooley
include/logger.inc.php,v 1.11 2004/08/08 09:57:13 gaugau
plugins/sef_urls/codebase.php,v 1.3 2004/08/08 20:48:47 oddeveloper
plugins/sef_urls/codebase.php,v 1.4 2004/08/08 10:06:56 gaugau

The same is in all language files.

With some only, if error_reporting is switched on  ;)


Maybe it's a good idea to put this line:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
in top of file

Although there's little threat potential if an attacker tries to directly browse those files I added the line as you suggested.

Quote from: Andi on October 23, 2004, 07:07:02 PMAdditionaly, but i'm not shure....

In file include/keyword.inc.php,v 1.2 2004/08/13 04:27:20 gaugau there are this 2 lines in top of file:

Code Select Expand

define('IN_COPPERMINE', true);
define('SEARCH_PHP', true);
Is this correct?

Yes, this is correct: the definition just says what var inside the language file to use - to keep things simpler and avoid redundancy, I used the lang vars from search.php.

Joachim

Hi Joachim :)
I believe that was a misunderstanding.
With the constant SEARCH_PHP i was irritated and not sure.
But is not correct with the constant IN_COPPERMINE somewhat.

Iin the new file version (keyword.inc.php,v 1.3 2004/10/24 12:49:42 gaugau)  are this 2 lines:

line #19 : define('IN_COPPERMINE', true);

line #22 : if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}

;) oh god my english...., sorry  :)

you're right, that's a contradiction in terms. Both definitions are useless, I dropped them from the code.

Joachim