There are too much security flaws on the Coppermine gallery used on this site. ;014
I have to disable some php functions in order to prevent attacks from here to my server...
I'll make it very short : I need someone to either update and make sure the gallery is not a threat for the server anymore, either i'll have to close the gallery for security reasons.
Any solution is good : updating (and making sure it's not a sponge anymore), changing engine, or even finding a totally brand new solution (image board, etc.) ;010
I do not have any time to do that myself, sorry.
Deadling is 31th of March.
Thanks for understanding ;hi
Please contact me by mail and be sure you have already experience in doing that.
Added after 58 seconds:
And if one wants to update the forum too, it would be nice too :D but i didn't detect any exploits from there yet.
So the gallery's coppermine engine is outdated?
Not very strange (considering the amount of recent security updates they've been releasing lately) that you consider it that way, I guess.
I take it no install-engine software is present on the server, by that?
Coppermine is a sponge regarding security, it always was... problem is, lately it tends to show quite straightforwardly, messing with files on server itself.
About installing engines, no. I consider them quite useless since anyway, you couldn't use them to even make a simple upgrade, due to the edits in the code to make it working with forum...
Right'o.
Personally I've got very little experience on this, but meh. If you haven't asked Tsubashi about it, please do, I think he's more of your man for this mission, haha. ^^
Anyway, by the quick-and-shallow search I did there doesn't seem to be a lot of good, big gallery engines available publicly - guess I'll have to scrounge around a bit to find something more worthwhile to compare with.
Well, i have come to like and respect this forum enough to set my current projects aside and learn how to improve the gallery...
To put it simply, i volunteer to learn about the software needed to run the gallery and dedicate time to maintain it... i will learn as much as i can before the 31st of march and if noone else has reported, and i know enough to adress this problem, i will volunteer as a sort of gallery mod...
This is so i can prove to the people on this forum i have come to respect, that i can be useful and provide some meaningful input even though i am not an artist...
No, i didn't ask Tsubashi yet but i believe ( ? ) he's quite crowded too. Also, i am not a big fan of doing things behind curtains so i don't see why other members wouldn't be aware that there's a task to do.
Usually, i take care of those myself but i'm really, really way too crowded lately to do anything about that. (Namely, i'll be at home today, friday evening -> sunday next week and then not anymore for at least a month or so ...)
Any participation is welcome, I can put a 'test environnement' if you want to try improvements without necessarily using your own comp for that (which would be normal)
Well, I can imagine that, considering how little that vampire's on nowadays... ^-^; I wasn't saying you should hide it, just that he's probably the most experienced in this stuff, but then, you'd know, wouldn't you ^^
Good to see some action from people there, Smokey.
Simplest solution: Disable the uploader. Turn the existing gallery into some kind of "non-interactable" archive. Any future images are posted directly in forums, maybe in dedicated threads.
that wouldn't work... that would kill the usefulness of the gallery...
Also i wouldn't mind to use my comp as a testing environment (needs major overhaul anyways), just gimme a software suite i need/would want to learn... (for example Win2kserver with coppermine...)
The upload is not especially the problem, it's the whole scripts which are potentially harmful.
On one attack (a few months ago now), it was the viewing script which was used to rot the files...
i have found a possibly interesting suite, TinyWebGallery...
Here's a Wikipedia link...
http://en.wikipedia.org/wiki/TinyWebGallery
It is important that all the current content can be moved to another gallery, if another gallery is used.
I guess, that it can be done...
But I am trying to acuire some PIII servers so i can emulate different server environments and setups, so i can learn more efficiently...
Any suggestions from you on what i should install and then learn are highly appreciated...
http://ostan-collections.net/topic-991.html
Gomen nasai, I have not been very active lately have I? v_v
*Bows Apologetically*
Thank you for your praise, Nejin-sama. It makes me very happy to hear.
Fedora-dono is right that I am somewhat busy, but I think I should be able to clear up some time to work on this problem. I most definitely owe it to all of you. ^^'
I will post back here with ideas later.
And here cometh he, the Lord of Apologies. ^^ Donmai, Tsubashi-chan. -w-
And good to hear that, I knew we could count on you for this as long as you had time for it.
;020 Wish I could be of use. V-V
The problem is, I don't have time nor a server.
^_^; I have it at home but not here...
Also I knew AnimeTheme's idea isn't good beforehanded - I don't like to insult anybody, anyways. It's like taking a shotgun to the gallery's usefulness. So disabling uploader's out, normally. -_-;
You say Coppermine's script eating the file?! That's bad enough.
BTW, Fedora-sama - did you make a back-up regularly? (If so, it could be good.) - just asking...
I'll help with some stuff if I can, but this sort of thing is kinda outta my league right now.
Quote from: "Dr. Mario"
BTW, Fedora-sama - did you make a back-up regularly? (If so, it could be good.) - just asking...
Of course. But restoring backups is not a solution.
About the server, i would insist that tests should be realized on this server since it's quite pointless to try making the same environment - it will never be the same and just cause troubles when trying to make it work on the real server after...
Oh, that is, of course the best course of action; though I must say it is a tad unexpected. I would have offered my servers if needs be, but it looks like that will not be necessary ^.^
Yeah, what are the connection requiements to host this site anyway?
20/20MBit up/down SDSL?
Thank, Fedora-sama, for pointing that out.
And I guess my server won't be necessary... (due to different internal hardwares than yours) And I can agree with you on the environment part - it can never be the same no matter what.
Smokey, about Internet link speed - that depends on demands and how many people are coming around and type of files used, 5Mb/s being the minimum.
that i know... i was just wandering how the usage was on this forum...
Okay. Just for the information (we're not the only ones on this forum... ^-^; )
This server is currently a dedicated (as in "i'm the only physical person handling it", not as "it's the only site on it") with 100Mb/s directly connected to the network (it's in a datacenter). It's not ADSL / SDSL / XDSL.
I am not limited by bandwitdh on this server. (for real, not like crap cheap offers you can find form here to there).
Ah, getting such bandwidth as a private person is a bit expensive here... ^_^ (there goes my webhosting plans... :D)
Oh, I see. It's possible for me to grab 100Mb/s to a gigabit/s. The only problem, right now, my Japanese bank account's out of reach for now - it's pricey for to grab the uninterruptable host (server) link at this speed. 0-0; A few hundred buck a months... <shivering>
(The reason my account's untouched, is because my old bank [in Tokyo] ripped me off so my wife had to move it to new bank. It suck. T~T Oh well, I will live to see another day.)
Well, the Dutch providers don't even dare to put the prices of Corporate Internet on their sites... But there is one here that has Gb internet service... ^_^
But it'll probably be â,¬500+
Exactly. And getting a linecard (sometimes required) is another story. It's f***ing expensive!? Hardly a product for typical home user. Sure, there are some server motherboard with built-in PCI-express linecard, but still expensive. Some IP would perfer to use optical Ethernet, it's easier to deal with, regarding the distance between your server and datacenter.
(Sorry about the F-bomb, I had to censor it. -_-; )
Well here you get an optical connection to your (i guess) modem and from there you can hook up anything you like...
But it could als be that yoou indeed need a server for the incoming connection...
It doesn't matter if you use a linecard on a regular motherboard's PCI-express 1x port - it will work still.
Oh sure i didn't doubt that, besides you don't need a dual CPU MoBo to build a server... ^_^ ( Ive seen a AM386DX run as a mailserver -on linux, that stuff is like speed for PCs)
Exactly. But still, it's recommended that you use AMD's AM2 processor as a starting point, if you're to host a Youtube-like website. (screw Intel CPU, it's nowhere effecient enough to deal with heavy-duty sh*t like that.)
Also good ol' Pentium II (or Athlon) is good enough to deal with usual website like this one (with 2GB RAM to keep it from getting pissed off. Why not Pentium? Out-of-order operation is very important, since there are so much computers asking for huge chunk of bytes, all at once.)
Dual PIII's no good then? (because i can buy those at a great price here (ProLiant or Dell even IBM servers from â,¬75.-)) :D
No no no! Pentium III is still good! What I described was the minimum system requirements. It will still work as long as you're not intending for it to munch on Blu-ray Disc files and other HD video, as to host a website being similar to Youtube - if it does, it simply drown and crash (because of on-die architecture being not sophisicated enough to deal with wide words and new mathematic formula, such as found in H.264 codec.)
Oh, those puppys won't be used for that...(they're for training purposes ^_^)
Oh, good... That's good. Pentium III Xeon is still useful for Linux server anyways. Although my server's pretty powerful - it's a 64 bit monster, have 16 GB XDR DRAM (yep, you guessed it right, the x86 CPU is pretty powerful.) And for CPU cooling, I used peltier plate and heatpipe.
Guess it won't be used to host a web, since Fedora-sama rather to have it off her machine, I may use it for rendering farm, whatever. I don't mind running this website off my machine - I knew it would be a temporary measure.
Oh no, when i am going to build a render farm, i will probably be using SGI hardware (you know, the Indy, O2 and Indigo machines ^_^)
Those are dirt cheap here aswell... :D
Oh well, better than nothing...
And you could grab ATI Radeon HD3k video card with AGP interface - will definitely help in your rendering farm, since it have few hundred DSP cores, on-die.
Oh, as far as i've read the graphics subsystems on the SGI workstations we're heavy duty (at least for their time)
Well, they're not high-end anymore. GeForce 6 series were the first video card to contain SGI graphic technology, on-die, due to being made on 130nm SOI process. Radeon HD 4k is more powerful with genuine SGI (yes, SGI dudes did push-start the original ATI [being eventually bought out by AMD] for commercialization), with XDR2-based speed demon Radeon HD 5k being in final beta stage.
http://www.tyan.com.tw/product_board_detail.aspx?pid=554
Then i guess this would be a nice start for a render farm (or a bad ass gaming-PC)
Too bad that such a MoBo, with 4 quadcore opteron (at 2,5GHz), 32GB RAM and IPMI add on cost â,¬9120,- that´s without the â,¬878,- for the two ASUS EAH4870X2/HDTI videocards... plus the rest (case, PSU´s soundcard, HDD-array (16000GB at â,¬1832,-), so this is shaping up to be a very expensive Server, and i think i can top the Processing power if i were to build a beowulf farm of dual PIIIs for less than that...
But that is one bad MoFu´er, that MoBo... ^_^
There you go! ;001 Although it's nice for gaming PC, it's gonna be expensive, providing my gaming machine cost me four to five grands. But I will post it at my post, "If you could design a OS", because it also involve usage of my own operating system and boot firmware based on it. I will also post the screenshot of benchmark (I thought it would be awesome because it have a copy of PS3 CPU technology, only with 64-bit x86 RISC archietecture.) Although it's really new, I haven't really used it yet.
Added after 12 minutes:
And yes, it's of Xeon version but, no - it's not either Xeon, nor Opteron. And this x86 CELL, for server usage, would have larger local cache for SPE, 5.2 MB total (256KB L1, 1MB L2, and 4MB LC), compared to 256 KB LC found on original PPC CELL. The XPE [x86 PE] might have cache larger than that.
[It might be delayed, due to economy meltdown, better off holding it off until the Japs are ready.]
Running two Pentium III's side-by-siden will make your server run faster than a modern quad core!?
No running 50 dual-PIII's, overclocked might be faster and that setup is 50 percent cheaper...
Mainframe size, <3.
Naaah, wardrobe-sized...
They still make PIIIs?
Well, I suppose it's no surprise, really. They still make the MOS 6502...
As far as i know, they don't... but you can buy refurbished PIII servers... at about â,¬50-â,¬100
*cough*
Oh, Crap! We're OTing in front of the Admin!!!
RUN!!!!
srry, btw...
rm -rf /home/Smokey
:D
o_O O_O O_o >_<
Just kidding!
BTW, any idea on Fedora-tan's server like she originally asked - do I see any light bulb lighting up? Any idea?
BTW, Red Machine, Pentium III was revived for Centrino, because Netburst was sucking the battery pack like a box of juice AND it got too hot for a laptop (regardless the effort on making Mobile Pentium 4.) so Pentium III got a overhaul: SSE3, die-shrink to 65nm, and more faster chipsets. It's eventually replaced by modified Core 2 Conroe (And of course, Penryn).
I thought it was Celeron? My Centrino registers as a standard Core2 Duo...
Centrino come in three favors: Pentium-M (modified Pentium III-m), Core (modified Pentium 4 Presler), and Core 2 (a renamed Pentium 5)
Just to give you a idea.