4images



  • Today I discovered the cPanel -> Email Trace utility, and while browsing it for the first time, discovered that a bunch of spam email is being sent from my web hosting account. With the help of my hosting providers (Clook, very good, not the WTF), I narrowed the source down to a 4images gallery which my wife and I installed 5 years ago for our wedding photos *.

    Now, I'm willing to accept that I may have previously applied inappropriate security settings to the gallery, so I headed over to the installation to disable account registration and comment posting. It's worth noting that according to cPanel, this software is up to date, it's not some obsolete version.


    Password Reset

    I didn't know the password, so clicked the "Forgot password" link, entered my email address and submitted. Here's the content of the email I received:

    You requested a new password for "Anonymised Gallery".
    You can modify your password in the control panel.
    
    Your access codes are:
    User name: Keith
    Password: an0nym1s3d
    

    So, their response to my request for a new password is to send me the user name and password in plain text and to inform me that I can change it in the control panel. I consider this a sub-optimal solution, but as a WTF, it's pretty minor.

    After logging in and navigating to the Admin section, here's the control panel side bar that I'm greeted with:

    Fairly hard to read and ugly as sin, but not too much of a WTF.


    Disabling Comments

    Okay, how do I disable comments?

    Did you guess Comments -> Edit Comments?

    Nope. How about General -> Settings -> Comment Settings?

    Still wrong. The section you actually need is Categories -> Edit Categories -> (Choose A Category) -> Edit.

    On that page, you'll find a section labelled Permissions and a drop down list for Post Comments, where you can choose one of:

    • All
    • Registered Users
    • Private
    • Administrators

    I don't know what "Private" means, so I changed it to Administrators. Hopefully problem solved...


    Disabling User Registation

    Okay, now to disable user registration!

    I'm not going to make you guess where this particular setting is hidden, because you can't disable user registration from the control panel!

    The "solution" is to edit the HTML template to remove the registration link, and, if you feel like it, to delete the registration script itself.

    What. The freaking. Balls.

    I "fixed" it by changing the registration script permissions to 0000. I then deleted the 400+ user accounts that were the source of the spam. I'll be monitoring the email logs carefully for a while, because I'm sure I'll have missed some exploitable corner in that stygian morass of miscategorised control panel settings.

    * Paging @nagesh


    Filed under: Okay, I'm TRWTF for running crappy software, then forgetting it exists.



  • @Keith said:

    which my wife and I installed 5 years ago for our wedding photos *.

    So marriage is causing this problem. :wink: :stuck_out_tongue_winking_eye:

    Edit: Also please post link and we can make fun of wedding pictures.



  • @Nagesh said:

    Edit: Also please post link and we can make fun of wedding pictures.

    I'm pretty sure I'm not going to do that.



  • @Keith said:

    I'm pretty sure I'm not going to do that.

    What are you afraid of? You'll get lot of comments. Is that not reason for posting pictures to website in first place?

    He believed that individuals possess a set of motivation systems unrelated to rewards or unconscious desires. Maslow (1943) stated that people are motivated to achieve certain needs. When one need is fulfilled a person seeks to fullfil the next one, and so on.

    Filed Under: Maslow said it first.



  • @Nagesh said:

    You'll get lot of comments. Is that not reason for posting pictures to website in first place?

    I do it for the :heart:s.



  • Wow, I didn't know the software, but I looked it up and it looks like an incredible piece of shit...
    I noticed that you should really update though, as there's been a fix for a XSS 2 days ago:

    Their method for filtering XSS looked redicious, so I looked it up, and I can definitely say that bypassing it would seem to be incredible easy... But to be honest, judging by the quality of the code, I expect a XSS to be the least of your possible problems.

    Also, this:

    
    if (strstr(getenv("HTTP_USER_AGENT"), "MSIE")) { // Browser Detection
      $textinput_size = "50";
      $textinput_size2 = "30";
      $textarea_size = "50";
    }
    else {
      $textinput_size = "30";
      $textinput_size2 = "17";
      $textarea_size = "28";
    }
    


  • @SpoofedEx said:

    Wow, I didn't know the software, but I looked it up and it looks like an incredible piece of shit...I noticed that you should really update though, as there's been a fix for a XSS 2 days ago:http://www.4homepages.de/forum/index.php?topic=31274.0

    In light of your research, I've decided to password protect the directory and be done with it.



  • Software built on the cheap, by the lowest bidder?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.