4images
-
Today I discovered the cPanel -> Email Trace utility, and while browsing it for the first time, discovered that a bunch of spam email is being sent from my web hosting account. With the help of my hosting providers (Clook, very good, not the WTF), I narrowed the source down to a 4images gallery which my wife and I installed 5 years ago for our wedding photos *.
Now, I'm willing to accept that I may have previously applied inappropriate security settings to the gallery, so I headed over to the installation to disable account registration and comment posting. It's worth noting that according to cPanel, this software is up to date, it's not some obsolete version.
Password Reset
I didn't know the password, so clicked the "Forgot password" link, entered my email address and submitted. Here's the content of the email I received:
You requested a new password for "Anonymised Gallery". You can modify your password in the control panel. Your access codes are: User name: Keith Password: an0nym1s3dSo, their response to my request for a new password is to send me the user name and password in plain text and to inform me that I can change it in the control panel. I consider this a sub-optimal solution, but as a WTF, it's pretty minor.
After logging in and navigating to the Admin section, here's the control panel side bar that I'm greeted with:
Fairly hard to read and ugly as sin, but not too much of a WTF.
Disabling Comments
Okay, how do I disable comments?
Did you guess Comments -> Edit Comments?
Nope. How about General -> Settings -> Comment Settings?
Still wrong. The section you actually need is Categories -> Edit Categories -> (Choose A Category) -> Edit.
On that page, you'll find a section labelled Permissions and a drop down list for Post Comments, where you can choose one of:
- All
- Registered Users
- Private
- Administrators
I don't know what "Private" means, so I changed it to Administrators. Hopefully problem solved...
Disabling User Registation
Okay, now to disable user registration!
I'm not going to make you guess where this particular setting is hidden, because you can't disable user registration from the control panel!
The "solution" is to edit the HTML template to remove the registration link, and, if you feel like it, to delete the registration script itself.
What. The freaking. Balls.
I "fixed" it by changing the registration script permissions to 0000. I then deleted the 400+ user accounts that were the source of the spam. I'll be monitoring the email logs carefully for a while, because I'm sure I'll have missed some exploitable corner in that stygian morass of miscategorised control panel settings.
* Paging @nagesh
Filed under: Okay, I'm TRWTF for running crappy software, then forgetting it exists.
-
which my wife and I installed 5 years ago for our wedding photos *.
So marriage is causing this problem.
Edit: Also please post link and we can make fun of wedding pictures.
-
Edit: Also please post link and we can make fun of wedding pictures.
I'm pretty sure I'm not going to do that.
-
I'm pretty sure I'm not going to do that.
What are you afraid of? You'll get lot of comments. Is that not reason for posting pictures to website in first place?
He believed that individuals possess a set of motivation systems unrelated to rewards or unconscious desires. Maslow (1943) stated that people are motivated to achieve certain needs. When one need is fulfilled a person seeks to fullfil the next one, and so on.
-
You'll get lot of comments. Is that not reason for posting pictures to website in first place?
I do it for the
s.
-
Wow, I didn't know the software, but I looked it up and it looks like an incredible piece of shit...
I noticed that you should really update though, as there's been a fix for a XSS 2 days ago:
Their method for filtering XSS looked redicious, so I looked it up, and I can definitely say that bypassing it would seem to be incredible easy... But to be honest, judging by the quality of the code, I expect a XSS to be the least of your possible problems.
Also, this:
if (strstr(getenv("HTTP_USER_AGENT"), "MSIE")) { // Browser Detection $textinput_size = "50"; $textinput_size2 = "30"; $textarea_size = "50"; } else { $textinput_size = "30"; $textinput_size2 = "17"; $textarea_size = "28"; }
-
Wow, I didn't know the software, but I looked it up and it looks like an incredible piece of shit...I noticed that you should really update though, as there's been a fix for a XSS 2 days ago:http://www.4homepages.de/forum/index.php?topic=31274.0
In light of your research, I've decided to password protect the directory and be done with it.
-
Software built on the cheap, by the lowest bidder?
