Gallery is a big security hole and open relay? Gallery is a big security hole and open relay?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Gallery is a big security hole and open relay?

Started by Saubloed, October 20, 2003, 09:22:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Saubloed

Maybe its one of the best galleries BUT:

- its by default an open relay because anonymous user can send emails
- emails dont contain non-fakeable information like sender IP
- passwords are stored in database as clear text
- dont work with safe_mode
- files in zip archives will never have the correct file permissions by default
- AFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
- FAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers

Come on - just look at the phpBB code:  passwords are stored with md5sum hases, it work with safe_mode, emails contain anti-abuse information, they release files also as tar.gz, they only use Javascript for things that are not important.

The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

jasendorf

Here's an idea... if you don't like it, don't use it.

QuoteThe cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

Alrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it.  Here's your chance to show us all how your "theory" will work.
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Rodinou

Waouhhh your pic Signature is all my informations about me : congratulations :)

jasendorf

Big deal... it's a simple magic trick... Your browser gives this information freely and it is not a security issue.  Don't let his little trick impress you... You want to see an impressive trick, click here.
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Joachim Müller

troll alert!
Although Saubloed (nomen es omen? for non-german speaking users: "saubloed"="thick as a brick") is right on some of his issues I'll have to make some statements, only to solve some misunderstandings:

Quoteits by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...
Quoteemails dont contain non-fakeable information like sender IP
I consider this as a feature request
Quotepasswords are stored in database as clear text
you're right on this - we're working on it...
Quotedont work with safe_mode
not true, safe mode works fine; even with servers where safe mode is not configured properly you can use silly_safe_mode-settings
Quotefiles in zip archives will never have the correct file permissions by default
true, but usually windows users (the majority of our users) will unzip it on their client using winzip or similar, so the advantages of a tarball will be gone. We released our files in a hurry (the original site chezgreg.net had gone down, so we didn't pack up everything as tarball).
QuoteAFAIK old versions with security hole are still downloadable and its only hidden noted in FAQ (!?!)
afaik the known security holes that have been an issue with cpg1.0 have been fixed in the files that are available for download
QuoteFAQ is only readalbe with javascript and the gallery contain also some not-nessessary Javascript that dont work with all browsers
true, the faq need a re-work
Quote...they only use Javascript for things that are not important
so does coppermine - the slideshow and the full-size pop-up aren't esential for coppermine to work
QuoteThe cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

GauGau

John

@Saubloed: :) Thank you for pointing out what the dev team allready knows.

EZ

I think that counter-attacking isn't the way. We should take whatever relevant criticism is in the post for our benefit, and just ignore the rest.

Indeed the original poster may be just a troll, but on the other hand he may have intended to report some issues that he considers as flaws, and he just doesn't have the manners to do it right.

One way or another, if he made any useful comment then great for us, and for all the rest who cares.

EZ.

John

@EZ: Agreed, I knew this before i posted, as they say "if not part of solution then part of problem" i will say no more.

Saubloed

Quote from: "gaugau"
Quoteits by default an open relay because anonymous user can send emails
we seem to have different definitions on the term "open relay"...

It IS and open relay. Since jasendorf say you can use it - do it:
http://www.338tharmyband.com/photo_gallery/ecard.php?album=2&pid=457&pos=0

Should i send you 1 million of emails or 10 or 10000?

Joachim Müller

you're right - I just started trackers on these issues...

GauGau

Saubloed

Quote from: "Rodinou"Waouhhh your pic Signature is all my informations about me : congratulations :)

Look at this website:
http://www.danasoft.com/

Saubloed

Quote from: "gaugau"
QuoteThe cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL
your posting has been OK untill this remark - I won't take the effort to check wether you provided a valid email address on registration - you surely didn't. :roll:

Just imagine:
- there is a bug in a php scirpt
- you can get the password of the admin-user of the gallery and you probably have the loginpassword of FTP/SSH
- even if not -  you have the (encrypted) mysql password (and can crack it very fast if it is not long (<12 Characters)) and you  probably have the FTP/SSH login
- on the worst case there is a local root securityhole (ptrace bug)

My problem is just that i am a little Webhoster and i recognized that this script is a must have for some of my customers but it bring me gigantic problems.

John

do you have or could you make some fixes for cpg ??

Joachim Müller

OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

GauGau

Saubloed

Quote from: "gaugau"OK, so this all boils down to md5-encryption of the passwords in the database, right?

I started a tracker on this, let's see...

Ok thank you.
I also think anonymous ecards sending should be disabled until it is limited or contain anti-abuse information. I will report this as bug.

jasendorf

BTW, Saubloed, I still am waiting for you to break in to my "insecure" Coppermine Photo Gallery...

Or, perhaps you need me to "put the root password on every webpage" for you to be successful?


Come on big boy... show us what you got.  Either that or STFU.
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.

Joachim Müller


moorey

Quote from: "Saubloed"The cracy programmers of this gallery should put the root passwort at every webpage - would be the same effekt. LOL

I'd like to see you write your own secure gallery and come up with a different "cracy effekt".

Tarique Sani

Except for the fact that by default e-cards can be sent by anonymous users everything else - Yes even the passwords stored in clear text in MySQL - are comments of a troll who used cheap Microsoftish tricks to impress the naive.

Just spreading FUD - nuff said, back to work everyone.

BTW I have fixed the e-card sending defaults in CVS
SANIsoft PHP applications for E Biz

jasendorf

BUWAHAHAHAHAHAHAHAHA

This moron just spammed my email box with 10 e-cards...  even though I specifically said:

QuoteAlrighty... here's my gallery, http://www.338tharmyband.com/photo_gallery/

Upload a photo to it. Here's your chance to show us all how your "theory" will work.

No one was denying the ability to send multiple e-cards as an anonymous user (nevermind that I have your IP in my http log now...).  But, I'm fairly certain my challenge was pretty clear.  You failed.  Now, trolly, go away.
Read the Online DOCs,FAQ, and SEARCH the board BEFORE posting questions for help.