Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Help ! - Security Concern on Coppermine... :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Help ! - Security Concern on Coppermine...


Hey, my hosting co has recently disabled the coppermine portion of my site, as it claims the version of Coppermine has a known security hole...

Can anyone comment, and can I upgrade to get rid of this problem ?

Thanks.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1


If you are running DragonflyCMS 9.0.6.1 there is no such security hole.

Your host is probably referring to the standalone version which bears no relation to this CMS, and which quite likely does have a security issue.

Since you don't provide your version in your server spec, nor a Dragonfly site in your www link, I can only presume you're not running the Dragonfly version.

Sorry, no support available here.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Thanks. I am using 9.0.6.1 (will update my details)

The automated response from my hosting co was

"A recent server security scan revealed that your site has a vunerable Coppermine Photo Gallery file at /public_html/modules/coppermine/usermgr.php . According to this automated scan, this file is revision/version 9.7 which is known to have security vunerabilities.

To help ensure the security of the server we are asking you to update your Coppermine insall to the latest version. The latest known version of Coppermine is version
1.4.8 .

** To protect against this file being abused, the file at /public_html/modules/coppermine/usermgr.php has been disabled. **"

If the usermgr.php file is disabled does that affect my usage ?

Thanks...

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1


DragonflyCMS Coppermine is not in any way related to the standalone version 1.4.8. Our independently developed version remains at 1.3.1 with superior security provided by its integration into the DragonflyCMS security system.

The latest version of our usermgr.php is 9.13 - the version 9.7 in DF 9.0.6.1 does not have the vulnerabilities of STANDALONE version 9.7 - since 9.13 is a CVS version, I would be wary of changing it.

Version 9.8 update was "Removed the THEME_USES_TPL feature to completely remove the old php-nuke theme system for a full template based future". If it's going to make your host happy, try updating to 9.8 - it shouldn't have any ill effects.

The only security fixes you need to update are outlined in the sticky topics of our Security forum - you should update db_input.php (as well as the 3 other files listed there).

Though done in your best interests, your host is mistakenly targetting a version of Coppermine that has been different for almost 3 years - a quick file compare will reveal they are like chalk and cheese.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


By the way, you updated your specs in your signature but still have not provided us a link to your df CMS Website.

Where is your DF Site?

Please enter your server specs in your user profile! 😢


Thanks for the info... How do i do the upgrade to usermgr 9.8 ?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1


Ignored my request to provide link to DF site. Placed here until compliance is met.

Please enter your server specs in your user profile! 😢


Oops, sorry. Didn't realise I'd been relogated to the 'sin bin' and didn't realise that not having a link to my site was against the rules ?

Still, I guess you are making sure that my queries are legitimate... I've been tinkering with this CMS since april (don't have much time, as I have a newborn baby ! )

Its still very much in the early 'construction stages', and I've only enabled limited functionality while I get to grips with the CMS and what is needed from this site.

Fyi, the site is just for my Snowboard mates to post pics, share info and generally exchange banter on the forums, rather than using work email ! :O)

Its at www.dodgytours.co.uk

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1


paddington wrote
How do i do the upgrade to usermgr 9.8 ?
Edit your version with a utf-8 compliant editor and just overwrite the file's contents with the content from version 9.8, then upload to your server, or click the download link for 9.8 on this page,
dragonflycms.org/cvs/h...sermgr.php

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Thanks. Uploaded that. Clearly the hosting co. has it still disabled. I've mailed their support to get it lifted....

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1

All times are UTC