| Author |
Message |
morpheus_75
Involved
Joined: Oct 07, 2003
Posts: 302
|
 Posted:
Sun May 30, 2004 10:19 am |
|
I heard several hack attempts happen because of security bugs in Gallery Modules/Blocks. I also read somewhere that My_eGallery may be an easy way for Hackers to hack sites.
Is this true? Is there any trick to protect my site?
Thank u  |
| |
|
|
|
stephen2417
Worker
Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH
|
| Posted:
Sun May 30, 2004 10:23 am |
|
I know my site got hacked over bc of coppermine. I patched it but didnt patch the other theme i was using 
Its all sorted out now tho.
I dno about My_eGallery, could it be the same thing as coppermine? |
| |
|
|
|
morpheus_75
|
| Posted:
Mon May 31, 2004 10:24 am |
|
As I said, I heard My_eGallery may be an easy backdoor to hack one's site. But how this happens and what shoud be done to prevent the hacking is quite unknown to me 
Raven, Chat, what do u think about it? |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Mon May 31, 2004 10:50 am |
|
I think if you look at the site where the PostNuke version is maintained you will find most of the patches are easily backwards compatable as of now. But there is also a plea for someone to come forward and maintain the phpnuke version or at least the patches for it.
http://lottasophie.sourceforge.net
But I see this has been moved to
http://noc.postnuke.com/projects/myegallery/
In fact I had someone attempt the exploit posted here:
http://packetstormsecurity.nl/0311-exploits/myegallery.txt
Not long ago but it failed for various reasons (They didn't have a clue) but added a patch for it. The last one I know of to take on MeG was AI and I am sure he has since abandoned the effort to devote his time to Open Site Manager.
The last patch applied to the public/displayCategory.php
was just to add this to the beginning of the file to prevent http being used in the path. I'd guess there is more issues to be resolved in the old 2.79 MeG phpnuke version. And I must also say I don't think this is effective protection. But I've not tested this so take it at face value.
$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php"); |
| |
|
|
|
|
morpheus_75
|
| Posted:
Mon May 31, 2004 11:41 am |
|
Hi, Six, thank you very much for your kind reply!
| sixonetonoffun wrote: | The last patch applied to the public/displayCategory.php
was just to add this to the beginning of the file to prevent http being used in the path. I'd guess there is more issues to be resolved in the old 2.79 MeG phpnuke version. And I must also say I don't think this is effective protection. But I've not tested this so take it at face value.
$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php"); |
I have old 2.79 and I do not think to update it. Next step (in a couple of month) will actually be installing the latest Nuke version (Raven's of course!) with coppermine. In the meantime I would like to run no risk at all! Do u think your patch will do? |
| |
|
|
|
|
sixonetonoffun
|
| Posted:
Mon May 31, 2004 1:17 pm |
|
Its not mine but it seems to work for the specific exploit its designed to catch. I'm glad you started the topic it would be nice to know if there is someone maintaining patches for 2.79 out there. |
| |
|
|
|
|
chatserv
Member Emeritus
Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico
|
| Posted:
Mon May 31, 2004 1:45 pm |
|
Even if someone does decide to attempt a full patch of MeG it just might be too late for it, many hosts do not allow its use on shared servers or any hosted site because any site can be hacked even if it is not using it, all it takes is for one person to have it on their web space for all other sites sharing the server to become vulnerable. It's going to take some well documented proof that all bugs have been patched before any of said servers reverse their decision to block the gallery. |
| |
|
|
|
|
soc
Hangin' Around
Joined: Apr 14, 2004
Posts: 26
|
| Posted:
Tue Jun 01, 2004 3:21 pm |
|
I found somewhere this code as a fix for public/displayCategory.php
first lines
Code:
if( isset($_GET['basepath']) || isset($_GET['adminpath']) || isset($_POST['adminpath']) || $_POST['basepath']))
{
$basepath=""; $adminpath="";
Header("Location: index.php");
die();
}
if ( !stristr($_SERVER['PHP_SELF'],"modules.php") || stristr($basepath,"http") || stristr($adminpath,"http") )
{
$basepath=""; $adminpath="";
Header("Location: index.php");
die();
}
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
|
Someone who knows if this is a solution? cs or anyone else? |
| |
|
|
|
|
morpheus_75
|
| Posted:
Wed Jun 02, 2004 3:27 am |
|
| chatserv wrote: | | Even if someone does decide to attempt a full patch of MeG it just might be too late for it, many hosts do not allow its use on shared servers or any hosted site because any site can be hacked even if it is not using it, all it takes is for one person to have it on their web space for all other sites sharing the server to become vulnerable. It's going to take some well documented proof that all bugs have been patched before any of said servers reverse their decision to block the gallery. |
It seems my host won't prevent me from using My_eGallery. At least this is whay I was told.
By the way, Chat or Six... do you think soc's solution may be a good one? I know every site can be hacked if a hacker decides to do it. So by "good solution" I mean a stopgap measure... a palliative... |
| |
|
|
|
|
chatserv
|
| Posted:
Wed Jun 02, 2004 8:59 am |
|
The problem here is that $basepath is not the only vulnerable area of MeG, i recall having suggested several code changes for patching other vulnerabilities but when i saw that new ones kept being exposed constantly i just gave up on it mainly because many hosts had banned it from being used. |
| |
|
|
|
|
morpheus_75
|
| Posted:
Wed Jun 02, 2004 2:20 pm |
|
I found a few bugs on My-eGallery:
1) The Gallery home page does not display the number of images for each category. You only get a 0, i.e.: Animatrix (0).
2) When you click on a thumb, the image displays properly, but u cannot see the page numbers between the two arrows (left and right).
3) The 2 arrows mentioned above lead to wrong images.
http://www.whatisthematrix.it/modules.php?name=My_eGallery
4) When trying to edit the templates, I get the following error:
The html tags you attempted to use are not allowed
anyone may help?
P.S.: I'd like the thumbs to be displayed in 2 columns... how can I do? In the configuration menu you can only set the number of thumbs columns in the gallery main page... |
| |
|
|
|
|
morpheus_75
|
| Posted:
Wed Jun 02, 2004 3:41 pm |
|
| morpheus_75 wrote: | | 1) The Gallery home page does not display the number of images for each category. You only get a 0, i.e.: Animatrix (0). |
 The galleries were set ti be displayed only by admins. That is why there was that 0.
| morpheus_75 wrote: | | 2) When you click on a thumb, the image displays properly, but u cannot see the page numbers between the two arrows (left and right). |
I dunno if this is a real bug. The arrows are there, but not the page number...
| morpheus_75 wrote: | | 3) The 2 arrows mentioned above lead to wrong images. |
Now it works.
| morpheus_75 wrote: | 4) When trying to edit the templates, I get the following error:
The html tags you attempted to use are not allowed |
That is a mistery... |
| |
|
|
|
|
morpheus_75
|
| Posted:
Thu Jun 03, 2004 6:09 am |
|
Anyone has got any idea on what I said in the previous post? And what about security? What are the recommended patches to use (even though they do not solve the whole problem)? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
