Hello,
I work for a quite large webhosting company, and I just did som daily routine security checks, and found out that someone had used an exploited coppermine script to gain access to the server. No serious damage was done, the person was only running a few eggdops (which we don't allow).
I have disabled the script. I'm not able to see what version was running, however could you please verify that the latest version of coppermine is absolutely secure? And are you aware of any exploits in older versions?
I'm going to have to disallow users from running coppermine on any of our servers if you can't show me that coppermine is secure. I really don't want to go there, so I hope you can verify this.
Thank you.
Nevermind, already seem to have found what's the problem:
http://forum.coppermine-gallery.net/index.php?topic=5879.0
just to make this clear for others reading this thread: the security vulnerability and the resulting exploit does not apply to coppermine standalone (with our without bbs integration), but only applies to cpgNuke (aka "Coppermine for CMS"). There are no known security holes in coppermine standalone.
Next time, please make sure to post on the proper board (your report should have gone to the support board for "Coppermine for CMS" here: http://www.nukephotogallery.com/) - posting security related reports is a sensitive area that can ruin a software's reputation without an actual security risk existing.
GauGau
WOLF!!!!