Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
manunkind
Client


Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM

PostPosted: Mon Apr 11, 2005 11:32 am Reply with quote

Hello everybody,

Just in case this was something new in the works, I figured I would pass the word and make it known. I was browsing through my folders the other day and I came across 2 files in my images/topics folder named:

Edu.exe
Edu.html

I couldn't remember if this was something I could have uploaded wrong or not. I downloaded the exe file to my desktop and it was flagged right away as a virus. I deleted both of the above files from the directory and checked all the other folders to see if it was in any others. It was not.

Today when I got home and looked at my "HTTP Referers", sure enough there was a hit for the following URL:
Only registered users can see links on this board! Get registered or login!

This may be another type of exploit that's in the works. I have no idea, but wanted to pass the word.

What would allow somebody to write files to those directories? Is this a code exploit?
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Mon Apr 11, 2005 12:37 pm Reply with quote

Coppermine, My_eGallery - any third party application that is known for upolad exploits.
 
View user's profile Send private message
manunkind
PostPosted: Mon Apr 11, 2005 2:23 pm Reply with quote

Thanks. Coppermine has been turned off for a while now. Only me, the Admin, can upload pictures.

The only other thing I know is the Forums Avatar Upload feature. That's the only one I can think of that still allows uploads.
 
CurtisH
Life Cycles Becoming CPU Cycles


Joined: Mar 15, 2004
Posts: 638
Location: West Branch, MI

PostPosted: Mon Apr 11, 2005 2:45 pm Reply with quote

If I am not mistaken, it doesn't matter if you only allow admins to upload or not, coppermine is still exploitable regardless. My understanding was the only way to prevent the exploit was to remove the module.

_________________
Those who dream by day are cognizant of many things which escape those who dream only by night. ~Poe 
View user's profile Send private message Visit poster's website Yahoo Messenger
manunkind
PostPosted: Mon Apr 11, 2005 3:04 pm Reply with quote

Well if you are right, then that is something I did not know. I figured I would be safe if I just didn't allow anybody but me to upload.

Thanks for the info. How can we find out for sure?
 
CurtisH
PostPosted: Mon Apr 11, 2005 3:06 pm Reply with quote

Let's ask Raven. Raven? Am I correct?
 
jaded
Theme Guru


Joined: Nov 01, 2003
Posts: 1006

PostPosted: Mon Apr 11, 2005 3:06 pm Reply with quote

yes, once it is in your system it can be exploited even if you turn it off completely. You MUST remove all the parts of coppermine including the admin directories. If you use this program or my egallery you are just waiting to be hacked. We have all learned this through experience. Find a more secure gallery like
gallery.menalto.com

Good Luck!

_________________
Themes BB Skins Only registered users can see links on this board! Get registered or login!
Graphic Tees Only registered users can see links on this board! Get registered or login!
Paranormal Tees Only registered users can see links on this board! Get registered or login!
Ghost Stories & More Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
manunkind
PostPosted: Mon Apr 11, 2005 3:09 pm Reply with quote

I learned alot today. Thank you all very much! Smile
 
Raven
PostPosted: Mon Apr 11, 2005 3:42 pm Reply with quote

Get menalto and save yourself some grief.
 
jaded
PostPosted: Mon Apr 11, 2005 3:45 pm Reply with quote

indeed! Wave
 
manunkind
PostPosted: Mon Apr 11, 2005 3:50 pm Reply with quote

Will check into it. Thanks again. Smile
 
CurtisH
PostPosted: Mon Apr 11, 2005 6:21 pm Reply with quote

Another good option, at least for me was the ported phpbb album mod from smartor. I like it really well
 
manunkind
PostPosted: Wed Apr 13, 2005 2:50 pm Reply with quote

Confused about menalto....is there already a version for Nuke? I just want it as a Module, not a stand-alone program. Which one do I download?
 
jaded
PostPosted: Wed Apr 13, 2005 3:03 pm Reply with quote

I use mine as a standalone but it is fully linked into my site as a module. I believe that they have one that is for nuke but I have not tried it myself.
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed Apr 13, 2005 7:10 pm Reply with quote

The 1.4 and 1.5 tree's work as a module. I haven't tried or seen install instructions for G2 yet but believe its on the way soon at nukedgallery.net

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
dean
Worker
Worker


Joined: Apr 14, 2004
Posts: 193

PostPosted: Fri Apr 15, 2005 3:37 pm Reply with quote

It can work either way depending on the installation you choose during the install process. I worked with coppergallery until nuke support vanished and I wish I had gone to menalto sooner. I actually use the gallery as standalone and integrated as a module in my nuke at one of my sites.
 
View user's profile Send private message
CurtisH
PostPosted: Fri Apr 15, 2005 3:42 pm Reply with quote

Do members still have to register with the Menalto module to create albums or have they made it like coppermine, allowing existing members to create albums without having to register with nuke and the gallery?
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9453
Location: Arizona

PostPosted: Fri Apr 15, 2005 5:54 pm Reply with quote

As far as I know in the 1.x series you have to still add users to albums separately. Although, I can see my nuke users in the list for adding permissions. I thought that I had read somewhere that better user integration was coming in 2.x, but that was long back that I read that.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
CurtisH
PostPosted: Fri Apr 15, 2005 8:15 pm Reply with quote

Will be interesting to see. Too many users stumble on stuff that is even slightly complicated... integration is needed for it to work well for my site.

Right now I am using the smartor album (forum mod) and it seems to work really well. Mind you it isn't as feature rich as coppermine was, but it does seem to get the job done, plus as an added bonus you have the ability to add the album right to the user's forum profile. Pretty sweet. *LOL*

I'll be watching the Gallery to see how it develops.
 
montego
PostPosted: Sat Apr 16, 2005 8:26 am Reply with quote

My needs are much simpler than others I guess. I love Gallery. Been a great tool. I only have a handful of admins and everyone who is logged in to Nuke is allowed to see the albums. So, for me, Menalto's Gallery, even without the use of nuke's groups or phpBB groups within Nuke, is a full-featured, excellent tool

montego
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©