Security Issue Security Issue
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Security Issue

Started by celian, November 24, 2005, 02:06:52 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

celian

Today I recieved notice that an anonymous person had uploaded a file to one of my albums (using 1.4.2 stable).

The file name was: photo.php.rar <- Which I've included as an attatchment (added a .txt to allow).

To my surprise, opening (looking at or simply "saving link") resulted in a window asking me for a password, and I discovered that I was in fact running the uploaded script, which by the way was/is not compressed, but pure text (php). I downloaded the file (through ftp, since the coppermine web interface insisted on running the script if I tried to download it) and discovered that it was a command-line web-interface.

I assumed that it's running was due to me working as admin, so I tried modifying the script (deactivated user/pass - since the default ones were not working as logon/pass - dunnon if it's a bug in the script or not..), and uploading again as anonymous.

Now I couldn't see the file, but as the album path is displayed anytime I view a random pic, and  "/userpics" is the default standard in coppermine, I tried "http://www.mysite.xxx/album/albums/userpics/foto.php.rar", and whupti, script ran as before.

- Conclusion is that any album that allows uploads (with or without admin approval) and is using the default config is very voulnerable to this kind of attack.

Ideas to fix:

1: Changing default upload dir for existing users

Can't change once you're up and running according to the config page! Couldn't there be an option that scanned the database and made the required changes to images already saved?

2: Changing the default upload dir to random name upon fresh installation

3: Renaming uploaded files to random name (saved and associated in database to original name), and restoring upon approval. (My favourite)

- Celian

kegobeer

How about reading the documentation, and making sure that you prevent uploads to your website that could be malicious?  By default Coppermine allows all file types, it's up to the admin to lock down the application to only allow images, movies, etc.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Abbas Ali

Chief Geek at Ranium Systems

celian


Thank you for both replies!

I will lock down uploads to certain file types for the moment to fix this problem.


But, aside from the security risk I still think that the current "default" /userpics folder presents a problem, and that my Ideas towards fixing it stand solid.

This as even though we block certain filetypes (by only allowing others), files of the now allowed type can still be uploaded and accessed by any user, and linked to directly. - This allowing anyone to use our webservers as a relay station for any kind of content that they feel like.

I think by law that I am responsible for all content on my pages, and even if not I would still prefer not to play host to anyone seeking some webspace for images (temporary though it may be, as at some point I'd check my mail and see the upload notification).

Plus this can be used to distribute any kind of content, say mp3's (filesize limited I know) or data, by renaming the files to have an extension acceptable by the coppermine photo gallery.

To sum up, following examples are what I fear:

Kiddieporn.jpg
Album_song.mp3.jpg
Any_kind_of_data_file_to_be_distributed.rar.jpg


Therefore I would suggest that this behaviour be stopped beforehand by my 2nd or 3rd suggestion in my previous post, the latter being optimal as no user can access the database to find the uploaded filename, and shouldn't be that hard to implement.

- Celian

celian

#4
Another quick note:

The locking down solution also presents me with the problem that I'll need to set this for Documents / Audio / Video / Images..

For what is a valid "Document"? - If I upload script.php.rar again, and album doesn't recognize it as an images, will it try other categories before finally finding one that allows "all" (say documents for example) and then accept the file?

This seems like a very desperate solution of locking down every possible avenue, instead of fixing the simple problem, and still doesn't cover the other issues (relay) that I remarked on in my previous post..

- Celian

Joachim Müller

These are the inserts for the filetypes table;INSERT INTO CPG_filetypes VALUES ('jpg', 'image/jpg', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jpeg', 'image/jpeg', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jpe', 'image/jpe', 'image', '');
INSERT INTO CPG_filetypes VALUES ('gif', 'image/gif', 'image', '');
INSERT INTO CPG_filetypes VALUES ('png', 'image/png', 'image', '');
INSERT INTO CPG_filetypes VALUES ('bmp', 'image/bmp', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jpc', 'image/jpc', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jp2', 'image/jp2', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jpx', 'image/jpx', 'image', '');
INSERT INTO CPG_filetypes VALUES ('jb2', 'image/jb2', 'image', '');
INSERT INTO CPG_filetypes VALUES ('swc', 'image/swc', 'image', '');
INSERT INTO CPG_filetypes VALUES ('iff', 'image/iff', 'image', '');

INSERT INTO CPG_filetypes VALUES ('asf', 'video/x-ms-asf', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('asx', 'video/x-ms-asx', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('mpg', 'video/mpeg', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('mpeg', 'video/mpeg', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('wmv', 'video/x-ms-wmv', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('swf', 'application/x-shockwave-flash', 'movie', 'SWF');
INSERT INTO CPG_filetypes VALUES ('avi', 'video/avi', 'movie', 'WMP');
INSERT INTO CPG_filetypes VALUES ('mov', 'video/quicktime', 'movie', 'QT');

INSERT INTO CPG_filetypes VALUES ('mp3', 'audio/mpeg3', 'audio', 'WMP');
INSERT INTO CPG_filetypes VALUES ('midi', 'audio/midi', 'audio', 'WMP');
INSERT INTO CPG_filetypes VALUES ('mid', 'audio/midi', 'audio', 'WMP');
INSERT INTO CPG_filetypes VALUES ('wma', 'audio/x-ms-wma', 'audio', 'WMP');
INSERT INTO CPG_filetypes VALUES ('wav', 'audio/wav', 'audio', 'WMP');
INSERT INTO CPG_filetypes VALUES ('ogg', 'audio/ogg', 'audio', '');

INSERT INTO CPG_filetypes VALUES ('psd', 'image/psd', 'image', '');
INSERT INTO CPG_filetypes VALUES ('ram', 'audio/x-pn-realaudio', 'document', 'RMP');
INSERT INTO CPG_filetypes VALUES ('ra', 'audio/x-realaudio', 'document', 'RMP');
INSERT INTO CPG_filetypes VALUES ('rm', 'audio/x-realmedia', 'document', 'RMP');
INSERT INTO CPG_filetypes VALUES ('tiff', 'image/tiff', 'document', '');
INSERT INTO CPG_filetypes VALUES ('tif', 'image/tif', 'document', '');
INSERT INTO CPG_filetypes VALUES ('doc', 'application/msword', 'document', '');
INSERT INTO CPG_filetypes VALUES ('txt', 'text/plain', 'document', '');
INSERT INTO CPG_filetypes VALUES ('rtf', 'text/richtext', 'document', '');
INSERT INTO CPG_filetypes VALUES ('pdf', 'application/pdf', 'document', '');
INSERT INTO CPG_filetypes VALUES ('xls', 'application/excel', 'document', '');
INSERT INTO CPG_filetypes VALUES ('pps', 'application/powerpoint', 'document', '');
INSERT INTO CPG_filetypes VALUES ('ppt', 'application/powerpoint', 'document', '');
INSERT INTO CPG_filetypes VALUES ('zip', 'application/zip', 'document', '');
INSERT INTO CPG_filetypes VALUES ('rar', 'application/rar', 'document', '');
INSERT INTO CPG_filetypes VALUES ('gz', 'application/gz', 'document', '');
INSERT INTO CPG_filetypes VALUES ('mdb', 'application/msaccess', 'document', '');

Instead of having "ALL" in the allowed filetypes section, this is what you could put into this field as well:

Allowed image types: jpeg/jpe/gif/png/bmp/jpc/jp2/jpx/jb2/swc/iff
Allowed movie types: asf/asx/mpg/mpeg/wmv/swf/avi/mov
Allowed audio types: mp3/midi/mid/wma/wav/ogg
Allowed document types: psd/ram/ra/rm/tiff/tif/doc/txt/rtf/pdf/xls/pps/ppt/zip/rar/gz/mdb

HTH







Cyclist

If I only want to allow images is it possible to set allowed movie types, allowed audio types and allowed document types to "None" so that it's impossible to upload other files than images?

Nibbler

Use the filetype editor (http://forum.coppermine-gallery.net/index.php?topic=24186.0) to remove the filetypes you don't want to allow.

amirw2k

I agree that this is a security issue regarding the fact that people can use your sever for illegal activities. I disagree that changing the users directory will solve anything !

Following scenario:
1. Only registered people can upload files.
2. Admin must approve new images from users.

When you upload an image to the server, it doesn't matter whether you have or don't have an approval, the image is there, at the users directory. Anyone who knows how coppermine works can easily get the image (or file) without any admin approval.

Changing the directory will not solve anything because you can find what it is by right-clicking on an image.

The simple solution is to use another directory to store the waiting-for-approval images, and after approval move them to the users directory. However, it's not safe enough because as you know, most of admins wouldn't change the default directory.

The real solution is to save the image with another name, and prefereably add to the end of the image name a random set of characters which will be saved in the database. After the image is approved the file-name will be changed back, or you can simply keep it with the new name. The file rename is something that you can see in Image-Shack and many other image storage providers.

Amir W.

celian


Thank you for your post Amir, it's nice to know that I'm not the only one who sees this as an open security issue.

I can see that changing the default upload folder won't help, as I in my first suggestions had forgotten that it is not just used to store the images prior to approval, but is also the default folder for all user uploaded pictures, that aren't moved later on when an admin approves them and possibly places them in another album "Folder". So even if renamed, it could be easily found by finding a user uploaded pic and checking the url.

So we're back at suggestion number 3 from my first post:

Quote3: Renaming uploaded files to random name (saved and associated in database to original name), and restoring upon approval. (My favourite)

Or as put by Amir W.:

QuoteThe real solution is to save the image with another name, and prefereably add to the end of the image name a random set of characters which will be saved in the database. After the image is approved the file-name will be changed back, or you can simply keep it with the new name. The file rename is something that you can see in Image-Shack and many other image storage providers.

This being the optimal solution as far as I can see.

I hope that someone will take this seriously enough to make the change, or maybe just aknowledge the problem, as the previous posts made by developers in this thread have only pointed towards workarounds that would not fix the basic issue of uploaded files being accessable to anyone, prior to approval.

- Celian