[Closed]: Userpics not accessible [Closed]: Userpics not accessible
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

[Closed]: Userpics not accessible

Started by Ewald, September 16, 2009, 01:35:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ewald

Hi,
I took over administration of a galerie which seems do be kind of messed up.
There are only 2 registered user (1 and 4) both are administrators.
Both have uploaded pics via HTTP not knowing how to use FTP :-(
The uploaded pictures are on the server under albums/userpics/10001 and 10004
also there are the thumbnails.
Some of the pictures are visible in albums they were added to.
Now I want to do some cleaning up, add not yet added pictures to albums and
so on.
Problem is, neither using user 1 not user 4 (got both passwords) I can get access
to the pics. Using index.php?cat=10004 or index.php?cat=10001 both lead to the
"No files or no Access"-Page.
Checked all configuration entries and can't find a reason for this.
The files are also listed in the database pictures-table though according to the
ownername there user 1 changed his name in some point of time.

Anybody got an idea what to check next?

Ewald





Joachim Müller


Ewald

Quote from: Joachim Müller on September 16, 2009, 03:00:45 PM
http://forum.coppermine-gallery.net/index.php/topic,55415.msg270616.html#msg270616

Well I don't see what it might help to actually look at the galerie in this case but rules are rules so here you go:
http://gypsymc-gablingen.de/galerie

Oh and before I get the next default replay: I've already seen that the footer (powered by )isn't correct visible.
This will be restored with the new theme I already completed.

Ewald

Additional Information:

I checked out the permissions on files and folders.
Folder userpics an its subfolders are set to 755 like all
other working folders are.
All files are set to 644.


Joe Carver

You need to upgrade before doing anything else.

<!--Coppermine Photo Gallery 1.4.9 (stable)-->

Is old and vulnerable.

onthepike

I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

I-Imagine has supplied you with update information.

Ewald

Quote from: i-imagine on September 16, 2009, 04:31:25 PM
You need to upgrade before doing anything else.

<!--Coppermine Photo Gallery 1.4.9 (stable)-->

Is old and vulnerable.

I will upgrade but I want to pic up all open strings before doing so.
Don't want to end up with mix of problems without knowing wether they
are from update or old administrator failures.

Ewald

Quote from: onthepike on September 16, 2009, 04:33:08 PM
I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

I-Imagine has supplied you with update information.

Where did you get this information from?

I checked the album table, there ist no owner information included.
I checked the category table, all categories are set to owner_id 0 which, I supose, is public?
I checked the picture table, all pictures belong to users 0 or 4. Only the owner name for pics from user 1
is different from the actual username of user 1, but I know the name was changed shortly before I took over.

So could you please point me to the source of your information?

Joachim Müller

Upgrading won't cure an already infected gallery. Do exactly as suggested in the Yikes thread on this very sub-board. Since you deliberatly hid the footer and since you seem to be aware of our policy not to support people who do so there's nothing left to say. Marking thread as "closed".

Ewald

Quote from: Joachim Müller on September 16, 2009, 05:23:15 PM
Upgrading won't cure an already infected gallery. Do exactly as suggested in the Yikes thread on this very sub-board. Since you deliberatly hid the footer and since you seem to be aware of our policy not to support people who do so there's nothing left to say. Marking thread as "closed".

1. I didn't deliberatly hid the footer, this is the state of the theme i took over. I already stated this will be fixed in the new theme. I simply didn't want to mess arround with the old one anymore.
2. Just because someone in a forum I don't know states the galery is infected it doesn't have to be that way and if it realy is there should be shown where and how this information was found.
If there's a way to gain information about the galerie that's not in the documentation that's not what I would call a secure application. If it's a way that's standard on the net I'ld say its in
'public' interest to know about it.
3. 'till now I did all to give all informations needed and answer all questions needed to resolve this quest. A simple memo to fix the footer would've been enough. Your way to handle request in this forum is far beyond unpolite even for an open source project. If there where someone to report you to for your behavior I would do so.

Nothing left to say on my side now.


Joe Carver

#10
@ onthepike,

Quote from: onthepike on September 16, 2009, 04:33:08 PM
I would bet that this gallery was hacked. Checking the ID's of other member's albums reveals a user with the name "Mr.X" who holds multiple album accounts yet has no profile.

Please, could you elaborate a bit?

[EDIT] It looks to be a function within functions.inc.php
        { //Categories other than 0 need to be selected
                if ($cat >= FIRST_USER_CAT)
                {
                    $user_name = get_username($cat - FIRST_USER_CAT);
                    if (!$user_name) $user_name = 'Mr. X';


How is that a sign of a hacked gallery? [/EDIT]

onthepike

Yes, I can. With an open apology as I had posted misinformatin at the expense of a most-likely non-infected gallery and innocent owner. In my over-zealousness to try and help, I posted information that at the time I believed to be true, however after researching my response via my own gallery and then the demo here on this site, I fast realized that "Mr X" is a part of CPG and not any indication of infection.

In short, an explanation as to why I had but two posts over the course of 6 months, then countless thereafter is due to my current personal situation that has me between surgeries and on heavy medication. It wasn't until I awoke one morning and found myself with "Tester" status and thought I ought to "do more". The problem is, I simply don't know enough to provide many of the responses I have, and so I apologize for them as well.

I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".

Again, my sincerest apologies to all.

73's

Joachim Müller

Quote from: Ewald on September 16, 2009, 05:41:11 PM
1. I didn't deliberatly hid the footer, this is the state of the theme i took over
That's an excuse. Someone hid the footer in that theme. It doesn't matter if that was you or someone else you got the theme from. It's part of the license that comes with coppermine (read up the documentation that comes with your package if you don't trust me) that says you mustn't edit it out..
Quote from: Ewald on September 16, 2009, 05:41:11 PMI already stated this will be fixed in the new theme.
That is simply not acceptable. No visible, license compliant footer means no support. It's our choice who we support, not yours.

Quote from: Ewald on September 16, 2009, 05:41:11 PMIf there's a way to gain information about the galerie that's not in the documentation that's not what I would call a secure application. If it's a way that's standard on the net I'ld say its in
'public' interest to know about it.
The documentation contains information about the package releases and the reasons for the releases. Of course an old copy of the documentation can't contain information that didn't exist then. You should have checked here frequently. You could have subscribed to the notifications for new releases. That's what others do. You can't expect that every piece of information about an open source app is in the docs. Quite frankly: your attitude sucks! If you're not happy about the security impact, then stop using coppermine.

Quote from: Ewald on September 16, 2009, 05:41:11 PMIf there where someone to report you to for your behavior I would do so.
Sounds like you have a nice "Blockwart"-notion. Lovely.

Quote from: Ewald on September 16, 2009, 05:41:11 PM
Nothing left to say on my side now.
That's fine. Locking thread then.

Quote from: onthepike on September 16, 2009, 07:25:09 PM
Yes, I can. With an open apology as I had posted misinformatin at the expense of a most-likely non-infected gallery and innocent owner.
No need to apologize - you did your best, and it's quite likely that such an ancient version actually was hacked, even if you have interpreted something wrong.

Quote from: onthepike on September 16, 2009, 07:25:09 PM
I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".
Please don't quit. We're very fond of the support you provide.

phill104

Quote from: onthepike on September 16, 2009, 07:25:09 PM
I think now is a good time for me to take a break from this board (and another which I have been just as overzealous in) and learn a little more about the software I attempt to "support".


I fully agree with Joachim. You have given some excellent advice and should keep it up. We all learn by our mistakes, especially me so I keep making them for that very reason ;).
It is a mistake to think you can solve any major problems just with potatoes.