[6.x] Album.pl - UBB-Integrated Photo Album - ubbDev

You are not logged in. [Log In] ubbDev » Forums » Vintage Modifications » UBB.Classic 6.4 - 6.7 Mods » [6.x] Album.pl - UBB-Integrated Photo Album

Page 2 of 5

2

Topic Options

#199387 - 04/26/03 03:18 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
usr bin geek Moderator / Kingpin Registered: 02/11/01 Posts: 817 Loc: Burlington, VT Add to del.icio.us Digg it	Quote: quote:</font><hr />Originally posted by Mike Bobbitt: An advisory detailing the problem will hit BugTraq on April 27th. (Thanks to AresU for finding this and for responsible disclosure!)<hr /></blockquote>It must have went out on BugTraq early because I just got it: <blockquote><font class="small">quote: [qb]AresU Advisory 04/27/2003 Album.pl Vulnerability Severity : High (CGI Remote Command Execution) Systems Affected: Album.pl up to v6.1 Vendor URL: http://perl.bobbitt.ca/album Vuln Type : CGI Remote Command Execution Status : Vendor contacted, new fixed version available Author : AresU Greetz to : Mike B., Bosen, Tioeuy, syzwz, Heltz, eF73, SakitJiwa, nimdA, Br0374l, FreshFirst, Algorithm All 1ndonesian Security Team (1st) http://www.bosen.net/releases/ http://bosen.blogspot.com Summary ======= album.pl is a popular web photo album application that allows you to simply drop new photo files into a directory, and they will automatically be accessible via the web. Any user can execute commands with Web Server privileges (normally nobody) when use an alternate configuration file. Solution ======== Upgrade to a newer album.pl version (at least 6.2) http://perl.bobbitt.ca/album/album62.zip Acknowledgments =============== Vulnerability discovery and advisory by AresU Vendor Response =============== Vendor has been contacted and new fixed version is available. Exploit Code ============ I have refrained from publishing a more functional exploit at this time, to delay attacks against album.pl installations. ----------------------------------------------- This mail sent through http://webmail.bosen.net [/qb] _________________________ Steve #!/usr/bin/geek � \| WyldRyde IRC Network Sorry, I wont answer support questions by email, PM, or IM.
Top

#199388 - 04/26/03 05:05 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
AllenAyres I type Like navaho Registered: 03/10/00 Posts: 25411 Loc: Texas	Nice upgrade Mike, those are some sweet features _________________________ - Allen - What Drives You?
Top

#199389 - 04/29/03 12:10 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	It went out on Indonesian time. _________________________ Mike Bobbitt PERL Stuff
Top

#199390 - 05/01/03 07:03 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	Note: at least one site has been hacked through the album.pl vulnerability, so I can't stress enough that users should complete this upgrade. There is also a quick patch available here for those who don't want to tackle an upgrade right away: http://perl.bobbitt.ca/yabbse/index.php?board=2;action=display;threadid=740;start=new;boardseen=1 Cheers _________________________ Mike Bobbitt PERL Stuff
Top

#199391 - 05/01/03 10:04 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
tackaberry Pooh-Bah Registered: 11/28/00 Posts: 3213 Loc: NYC \| 100% Hockey	Hi Mike, Are there any particular settings required for talking to the ubb.x users table? _________________________
Top

#199392 - 05/01/03 08:32 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	Ummm. I'm not really familiar with UBB.x's underlying settings. In case there's similar to UBB.thread's, here they are (from the Database section of album.cfg): db_driver=mysql db_name=[dbname] db_hostname=localhost db_user=[username] db_password=[password] db_port=3306 db_membertable=w3t_users db_username=U_LoginName db_passwdfield=U_Password If anyone knows of corrections for UBB.x, I'd gladly add them to the config notes... Cheers _________________________ Mike Bobbitt PERL Stuff
Top

#199393 - 05/02/03 09:14 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
tackaberry Pooh-Bah Registered: 11/28/00 Posts: 3213 Loc: NYC \| 100% Hockey	The settings should be: db_driver=mysql db_name=[yourwebsite_com] db_hostname=localhost db_user=[username] db_password=[password] db_port=3306 db_membertable=USERS db_username=USERNAME db_passwdfield=PASSWORD I've gotten as far as getting a line 2696 error I posted a similar thread @ infopop http://community.infopop.net/2/OpenTopic?a=tpc&s=729094322&f=1853060105&m=3403056517 I'll have to check the case settings for the table/fields when I get home _________________________
Top

#199394 - 05/07/03 01:59 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	Thanks for the info, I've added it to the "standard" config that comes with album.pl... As for the error, was there a message to go with the line number? That's pretty much smack dab in the middle of DB code, which sounds right I guess... _________________________ Mike Bobbitt PERL Stuff
Top

#199395 - 06/24/03 11:19 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
BUZN_WILDLY Junior Member Registered: 05/24/03 Posts: 19 Loc: Ont.	How do I add a link in the my profile \| register \| search \|faq \| forum home for the Album? on UBB.classicTM 6.3.1.2 Thank-You in advance for your help... BUZN_WILDLY
Top

#199396 - 06/24/03 09:35 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Poopy Pants Member Registered: 08/22/01 Posts: 100	are there idiot instructions on how to integrate this into the ubb, i mean pure idiot instructions because i can't figure it out.
Top

#199397 - 06/24/03 11:54 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
R.J. Ferguson Junior Member Registered: 06/19/03 Posts: 3 Loc: Philadelphia, PA	In public_common.pl, find: # Forum Home Add Under: #Album push(@items, qq(<a href="$vars_config{CGIURL}/album.pl" title="$vars_wordlets_mods{album_link}">$vars_wordlets_mods{album_link}</a>)); ================================================= In vars_wordlets_mods.cgi, find: %vars_wordlets_mods = ( Add Under: q!album_link! => q!Album!, DON'T FORGET TO BACKUP THE ABOVE MENTIONED FILES PRIOR TO EDITTING THEM!
Top

#199398 - 06/25/03 07:52 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
BUZN_WILDLY Junior Member Registered: 05/24/03 Posts: 19 Loc: Ont.	I've tryed to make that link work, But not having any luck with it! I even altered the line q!album_link! => q!Album!, to album_link => "album" And still doesn't work... and I'm thinking you have to add #Album push(@items, qq(<a href="$vars_config{CGIURL}/album.pl" title="$vars_wordlets_mods{album_link}">$vars_wordlets_mods{album_link}</a>)); Add Under: # Forum Home push(@items, qq(<a href="$ULTIMATEBB" title="$vars_wordlets{forum_acronym}">$vars_wordlets{forum_home_link}</a>)); Would You Have any other Idea's? UBB.classicTM 6.3.1.2 Thank-You BUZN_WILDLY
Top

#199399 - 07/22/03 10:59 AM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	Sorry I haven't replied - I don't get notified on this thread, so I never know when it's active... Do you get anything at all when you add those lines, or is it just the same? V6.3.1.2 has different templates from more recent versions (as I recall) so public_common.pl may look and act a bit differently... _________________________ Mike Bobbitt PERL Stuff
Top

#199400 - 08/12/03 04:47 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
caroth Member Registered: 05/30/01 Posts: 54	The album works great on our forum installed on a Win2k box. The only suggestion I have is to sort the albums by username, not the member number. I realize that is probably hard to do, but many of my members have asked for it. Chris
Top

#199401 - 10/10/03 03:42 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Mike Bobbitt Member Registered: 04/30/01 Posts: 230 Loc: Ottawa, ON, Canada	V6.3 has been released. ( Download ) New Features You can now create links to photos in other albums. The new "Link" item on the admin menu allows you to create links to existing photos. Only the original photo exists, with links simply pointing to it. Useful for a "favourites" album, without keeping multiple copies of your photos. Local templates now supported. Any template files found in an album directory will automatically be used for that album. New buttons! Added ssi=2 mode, which shows actual photos, not just thumbnails. (Good for use with random/slideshow features.) Added support for YaBB SE 1.5.1+ password protection. Digest::HMAC_MD5 Perl module required. Added ####NAVPREV####, ####NAVUP####, ####NAVNEXT#### and ####NAVJUMP#### tags, for extra granularity with the navigation footer. Updated album_footer.tml to use these tags. Added ####MOVIESIZE#### tag for the upload form, to show the max allowed movie upload size. Added "logout" button for flatfile authentication (type 1). Includes logout_button config item and thmb_album_logout.gif image. The postupload command can now use all regular ####TAGS####. (Such as ####CONFIG=loggedin#### to show the logged in user's name.) Improved cookie deletion (thanks Scouter!) Additional check to prevent bogus config update added. Tuned up album_test.pl. Added new default_linkdir to allow fast linking. Added new "delcookie" function to forcibly delete any album related cookies. New Config Items link_button: Filename of the "Link" button graphic. default_linkdir: When added, clicking on the "link" button will auto create the link in this directory, instead of prompting the user for a destination (not present by default). logout_button: Filename of the "Logout" button graphic db_displaynamefield: Used to define the database field containing a user's display name. Optional. movie_upload_size_limit: Allows admins to specify the max size for uploaded movies, separate from photos. Bug Fixes User edit no longer adds a blank line to the end of the list. Nav "up" link now takes you up to the right page. Album URLs are now properly escaped, allowing characters such as + in the album filenames. Fixed flatfile password carryover problem. Fixed ssi / authentication problem. Fixed a bug where search results weren't displayed properly. Fixed up static HTML to honour local configs. Fixed broken movie links. Files to replace album.pl album_test.pl album_footer.tml album_strings.txt (or appropriate language file) Photo_Album.css New files thmb_album_link.gif Enjoy! P.S. caroth, that's on the to do list, hope to get to it some time. _________________________ Mike Bobbitt PERL Stuff
Top

#199402 - 10/11/03 09:02 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
AllenAyres I type Like navaho Registered: 03/10/00 Posts: 25411 Loc: Texas	thanks Mike _________________________ - Allen - What Drives You?
Top

#199403 - 11/11/03 04:57 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
AllenAyres I type Like navaho Registered: 03/10/00 Posts: 25411 Loc: Texas	Do these errors look familiar? http://www.ubbdev.com/cgi-bin/album.pl And the images, even tho they are in the folder as specified in the config settings aren't being found (config settings say my setting is correct, even tho it's looking for the images in the public pages from a different url - appears to be looking for them in cgi_web and not album_web). _________________________ - Allen - What Drives You?
Top

#199404 - 11/11/03 05:24 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Felix 10 Enthusiast Registered: 10/10/02 Posts: 391 Loc: Toronto	Allen, the path, in your case is only: cgi-bin/img/ so in the album.cfg would show something like this: Quote: quote: # The path to the directory containing all icons and buttons. This should be relative to album.pl's location, as it is appended to album_web to get the actual URL. img_dir=cgi-bin/img In my case was img_dir=ubb/img because I didnt want to mix the "img" folder in the cgi-bin, it doesnt have to be there. I have a question though: I dont get "Rate picture" and also dont get the Admin options: Delete, Move, Edit etc. Do you know why? Is there a page for Admin settings other than album.cfg file? http://romanianational.com/cgi-bin/album.pl Thank you, Felix
Top

#199405 - 11/11/03 11:09 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
AllenAyres I type Like navaho Registered: 03/10/00 Posts: 25411 Loc: Texas	Thankyou Felix Try this link: http://romanianational.com/cgi-bin/album.pl?function=admin with the 'admin' whatever you've set your admin password in the config file to _________________________ - Allen - What Drives You?
Top

#199406 - 11/11/03 11:37 PM Re: [6.x] Album.pl - UBB-Integrated Photo Album
Felix 10 Enthusiast Registered: 10/10/02 Posts: 391 Loc: Toronto	My pleasure Allan. I saw that it work I figured it out why dont have the "Rate it" button. I missed to create the ratings.txt file Thank you Felix
Top

Page 2 of 5

2

View All Topics

Hop to:

Moderator: Charles, Gizmo

Top Posters Last 30 Days

AllenAyres	12
Gizmo	10
S7ARBVCK	2
Cambridge	1
Murphdog	1
MattUK	1
Kevin H	1

0 Registered (), 32 Guests and 8 Spiders online.

Key: Admin, Global Mod, Mod

Shout Box

Latest Posts

BeyondCompare v3.00
by blaaskaak
Yesterday at 02:46 PM

Noob - need help, or a reality check!
by Gizmo
09/04/08 03:21 AM

Here I am! Rock me like a Hurricane!
by AllenAyres
09/02/08 03:05 PM

[7.x] Generic Page Outside of forum directory
by Gizmo
08/30/08 05:43 PM

Team UBBDev Rides Again!
by Gizmo
08/28/08 11:45 PM

Multiple Identity Detector
by MattUK
08/28/08 04:10 PM

[7.3.x] ubb.links
by AllenAyres
08/26/08 09:57 AM

September
Su	M	Tu	W	Th	F	Sa
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

New Mods

Installing FlashChat with 7.3
by Paug
08/23/08 12:14 AM

[7.3.x] ubb.links
by AllenAyres
06/20/08 11:50 PM

[7.2.1] - Naked shoutbox
by sirdude
08/17/07 10:36 PM

[7.x] Generic Page Outside of forum directory
by
01/14/07 10:58 PM

Multiple Identity Detector
by
12/30/06 06:39 PM

Newest Members

veedubb8, twentyseven, Claus1, welcomeback1, Paug
13327 Registered Users