Batch upload for users? Batch upload for users?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Batch upload for users?

Started by Eyedea, March 28, 2004, 02:24:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Eyedea

Is there a way to allow users the batch upload???

ok, I just found out that I would have to make the user an admin... is there really no workaround???

thx for help

Joachim Müller

this has been asked quite often, so in the future, please search the board before posting such a question:
in theory, you could hack coppermine to let users have access to the batch-add function of coppermine, but to use it properly you would have to allow them to have ftp write access to your albums folder, which means: they have full admin powers (as they could upload any script that could take over the ownership of your whole site). Giving ftp upload permissions to users is a huge security risk, that's why only the admin has batch-add. If you need such a modification anyway, you'll have to code it by yourself, as I won't give instructions on how to disable or undermine people's webserver security.

GauGau

hoggwild

New to board and easily new to Coppermine..

I love your product.. Our T-ball team page is excellent. (using the gallery)

However on the issue of batch upload to the users I to feel it should/can work..
And might get a mod and post.

On the ftp rights to the machine.. That actaully is not a true statment, as on our hosted box
I created two accounts..

One an email account with ftp rights with the folder path to the location of the non userpics folders

Second was by enabling anonymous ftp and performing the same thing.. having the folder path go to the locaiton of the sub folders for batch uploads.

I now need to get the php logic to give this form and search area to them.

As all are registered so I honestly don't care if one user sees another users folders.. Just want them to be able to batch upload..

-Question-
So with the above two access users where (i.e. line code areas) should I go to grant the 'registered' users and or assigned groups the access to the batch upload page viewed in the admin area.. As my only issue now is given this feature to a specific group and not all users.

But if I put some thought to that I'll get that hashed as well.

Your thoughts.

Hoggwild  ::)

Joachim Müller

Giving users ftp-acces to a folder that is beneath your webroot means they can upload any script and run it through their browsers. This way, they can gain access to your whole site. There are lots of scripts out there that will let script kiddies perform such an action. Anon ftp upload to the webspace is not a good idea imo - at least you should disable parsing of server-sided scripts in this folder.
The hack you're requesting hasn't been done before - so I suggest you take a look at searchnew.php and db_input.php and look for the routine that checks if the gallery admin is logged in:if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);You'll have to modify it to let your special user group have access as well (important: don't remove it completely, or anyone could do batch-add!).

Once again: this is not recommended at all - better use xp_publisher or take a look at the new version (cpg1.3.0) which is still beta (meaning: no support yet), but features upload of multiple files at once over http upload, and a granular rights management based on groups.

GauGau

hoggwild

GauGau

One of my developers have implemented the batch upload 'per' an assigned 'user group'.. i..e the 'batch upload' is now shown on the menu bar
and is assigned by the admin to a group.. After a few cleanups I'll post.

--ftp--

Need clarification here. Please advise what type of script a user can run to take control of the entire website.

Isn't it the same as me simply giving you access to my site and giving you a folder under root.. If thats the case any user on the machine can do that.

Please detail more or send it to me offline as I'm not getting this how/if this can occur.

Hoggwild

Joachim Müller

A malicious attack would be e.g. a php or perl script uploaded that let's the attacker browse through all source codes on the server. As most applications have to store the mySQL username and password somewhere in a file (in coppermine's case in include/config.inc.php), the attacker could read this file's code and the password it contains. The attacker could then run a query to delete/destroy your mySQL database. Does this sound threatening enough to you :-X? One could think of several other methods of attacks...

GauGau