Security Setting for include directory Security Setting for include directory
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security Setting for include directory

Started by wing, October 07, 2009, 01:17:39 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

wing

I'm relatively newbie and not experienced PHP user.   I installed the coppermine all in its default settings.   However, I recently was not able to login and noticed that the following file is missing in the include directory.    I have not made any change and was wondering it the missing file was the result of hacking or this sort.   Fortunately, I have a copy in my own PC, then I upload it again and it works now.

The include directory has this default setting which is different from others and I wonder if it is correct.  However, anyway I can check if the coppermine studio that I have is vulunerable for hacking. 

include   owner/unknown drwxrwsrwx     




Warning: main(include/init.inc.php): failed to open stream: Too many open files in system in /home/owner/studio.fusionliquid.com/html/index.php on line 68

Fatal error: main(): Failed opening required 'include/init.inc.php' (include_path='.:/usr/share/pear') in /home/owner/studio.fusionliquid.com/html/index.php on line 68

Joachim Müller

#1
Quote from: wing on October 07, 2009, 01:17:39 PMI have not made any change and was wondering it the missing file was the result of hacking or this sort.
I strongly doubt that this is a sign for a hacking attempt. The hacker would not want to show he performed a hack by just crippling your site. As you failed to do as suggested per board rules (post a link to your gallery in each and every support thread!!!!!!!) we can't tell you more.

Quote from: wing on October 07, 2009, 01:17:39 PMThe include directory has this default setting which is different from others and I wonder if it is correct.
From the docs:
Quote from: http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#permissions2.1.1 Setting permissions
Coppermine needs write access to a number of files and folders on the webserver in order to accomplish the following:

  • during install, coppermine needs to create and write to the file "config.inc.php" in the "include" folder in order to store the necessary mySQL access data to run coppermine and to create and write the "install.lock" file, also in the same folder to prevent the installer from being run a second time after a successful install.
  • when using http uploads, coppermine needs to write the files that are being uploaded into the subfolders that you or your users create in the coppermine albums folder
  • regardless of the upload method, coppermine will create a thumbnail file and an intermediate file (if you have configured coppermine accordingly) and store it in a sub-folder in the "albums" directory, as well
  • If you are going to enable logging at some stage, the script needs write access on the folder "logs"
  • The "plugin" folder needs to be set to write access as well if you want to use the zip upload capabilities of the plugin manager

By default, files and folders on a webserver are usually not writable, so you will probably have to change permissions before installion, for the reasons mentioned above. It's really mandatory that you set/change (CHMOD) permissions - or you will run into issues sooner or later.

To be able to set permissions correctly, you have to understand how they work: there are read, write and execute permissions (abbreviated with rwx) for each folder and file. Permissions on a parent folder can propagate to a child folder or the files within it, but it's possible to tweak your setup so that unwanted permissions will not propagate to child folders and resident files.

However, there are differences between the different operating systems that are used as webservers. As a result, there are a number of different approaches. As coppermine is designed to run on many different setups, we've included some basic instructions. Those who know their way around may find these instructions somewhat generalized and lacking in details.
Note: it is not your local, client computer that matters, permission-wise, but, rather, the operating system used by your webserver. If you're not sure what OS your server is running on, try the CHMOD instructions first - most webservers run a version of Unix/Linux. If you can't figure how to set permissions properly, ask your webhost for support.
In other words: it's safe to set the permission for the include folder back to how it used to be before you applied write permissions.

Quote from: wing on October 07, 2009, 01:17:39 PMHowever, anyway I can check if the coppermine studio that I have is vulunerable for hacking.  
As suggested above: posting a link might help for a start... ::)

Not related to initial install, moving...


Joachim Müller

...and the link to it is http://studio.fusionliquid.com/ and not just studio.fusionliquid.com  ::)