Upload Security Issue 1.4.16 and Prior

[Nookster]

My website got hacked today; I chased it down to a small PHP script that was named with a .jpg extension and uploaded.  Even though CopperMine won't let you place the file, it still ends up in the album directory.  The path of the album directory can be easily determined by viewing previously uploaded photographs.  This let the attacker execute the PHP script which then appended an iframe onto over 1200 of my web pages that served up a virus to unsuspecting web surfers.

I was running 1.4.12, but I tried the exploit after upgrading to 1.4.16 and it still worked.  Uploads need to go into a directory different from the final viewable directory and not accessible from the web until verified as a valid image file.

[Abbas Ali]

How can a file with .jpg extension be executed as a PHP script? This can only be done if the server is not configured properly. Not a cpg issue imho.

Perhaps a link to the affected site might help. If you don't want to disclose the link in public then you can PM it to me.

[marian]

How can a file with .jpg extension be executed as a PHP script? This can only be done if the server is not configured properly. Not a cpg issue imho.

Perhaps a link to the affected site might help. If you don't want to disclose the link in public then you can PM it to me.

Abbas, I'm pretty sure this is related to the cdpuvbhfzz.com problem. I've taken the liberty of starting a thread in the hope that Nookster and others might be able to help each other, without bothering you people. http://forum.coppermine-gallery.net/index.php/topic,51791.0.html
Ciao
Marian

[Abbas Ali]

@Marian: It might be.

@Nookster: Can you zip that jpg file and attach it here?

[Joachim Müller]

Marian: butt out of this thread!