coppermine-gallery.com/forum

Support => cpg1.4.x Support => Older/other versions => cpg1.4 upload => Topic started by: SickFinga on June 17, 2006, 10:22:40 AM

Title: Vulnerability? Had shell uploaded through upload.php
Post by: SickFinga on June 17, 2006, 10:22:40 AM
I was checking my counter, and saw someone was "google hacking"

Someone was searching for "coppermine photo gallery intitle:"Upload File"" and yahoo and got to my site.
I checked my logs and noticed that used tried to access
http://url.com/albums/userpics/is.php.rar

I checked my USERPICS folder and sure is.php.rar was there.
I opened it with notepad, and it is a shell.


So I was wondering if there is any danger?


I have 1.4.5 patched to 1.4.8
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: Sami on June 17, 2006, 10:34:09 AM
yes there is , you should delete that file
- as cpg 1.4.6 , gallery is protected against Apache's .rar vulnerability (http://forum.coppermine-gallery.net/index.php?topic=31671.0)
- This file uploaded ,before you upgraded the gallery
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: SickFinga on June 17, 2006, 11:04:31 AM
Nope, uploaded yesterday.
Guess I should double check if I acually patched it.
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: SickFinga on June 17, 2006, 11:14:43 AM
Check function.inc.php and it is patched (patched on May 26)
rar file was uploaded on 16th June.

??? ???
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: Sami on June 17, 2006, 11:28:06 AM
look for other shell file may be you have a shell file uploaded before update, and they use that to upload new one !
waht is the actual name? is.php.rar or is_php.rar?
- link to site with test (non admin) user would be helpfull
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: SickFinga on June 17, 2006, 11:56:55 AM
File name is is_php.rar

But when he tried to access it, he tried is.php.rar
[Fri Jun 16 10:05:53 2006] [error] [client 193.226.60.107] File does not exist: /usr/home/tttt/public_html/404.shtml
[Fri Jun 16 10:05:53 2006] [error] [client 193.226.60.107] File does not exist: /usr/home/tttt/public_html/albums/userpics/is.php.rar

site
http://tuningdb.com
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: SickFinga on June 17, 2006, 11:59:59 AM
OK I just tried to rename the shell to is.php.rar and upload it. Coppermine changed the file name to is_php.rar

So I guess fix does works.

Sorry for the false alarm.
Title: Re: Vulnerability? Had shell uploaded through upload.php
Post by: Sami on June 17, 2006, 12:06:47 PM
Yes, it works  ;)
Nop ,