Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 2 [3]   Go Down

Author Topic: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*  (Read 148337 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #40 on: September 17, 2005, 11:03:20 am »

please use the code from the cvs, stable branch
Logged

bazil749

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #41 on: September 20, 2005, 06:23:07 am »

As of 2nite 9/19/05 the ver. 1.3.4 that is up for download DOES NOT contain the fix.

I had to get it from this file....

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  • users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
    Code: [Select]
        if (isset($exif) && is_array($exif)) {and replace with
    Code: [Select]
        if (isset($exif) && is_array($exif)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($exif as $key=>$data) {
              $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
    Next, find
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    and replace with
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($iptc as $key=>$data) {
              $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    .
     Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  • users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  • users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]


Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #42 on: September 20, 2005, 08:18:50 am »

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Logged

bazil749

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #43 on: September 20, 2005, 01:02:09 pm »

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #44 on: September 20, 2005, 01:36:16 pm »

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

bazil749

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #45 on: September 20, 2005, 01:52:05 pm »

That link didin't work for me.  I used a couple differnet mirrors, this one for instance:

http://internap.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip


Hey, I'm not trying to accuse anyone of anything, I'm just saying that it ain't working for me.  Maybe the "fixes" are a bit different in truth, but the only thing that worked for me is the fix on this page...

Once again like I said, I never knew bout this problem before upgrading to the stable version I downloaded tonight.  Or maybe it's my configuration or something, who knows.  I'm just trying to help other people not go through the hours I spent trying to fix this.  Cuz when I read that the downloaded version was fixed, I was pulling my hair out wondering why it doesn't work.

Maybe you should just stick the fix here in the stable version instead of the "other" fix.  Just out of curiousity, what was the "other" fix?

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.
Logged

bazil749

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #46 on: September 20, 2005, 01:55:44 pm »

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #47 on: September 20, 2005, 02:04:50 pm »

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

bazil749

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #48 on: September 20, 2005, 02:08:03 pm »

Well I'm sorry to say that it's not working.  Maybe you need to check it again, but it's not working for me.  Maybe it's due to my particular images, who knows.  One thing is that I didn't get this error on all my images.  I don't know why.  And of course I don't get it at all if I turn the IPTC on Jpegs off completely.

Just trying to help here guys....

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.
Logged

DJMaze

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 831
    • Dragonfly CMS
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #49 on: September 24, 2005, 05:13:18 am »

Probably fixed the issue check revision 1.15 (should be available within 3 hours)
http://cvs.sourceforge.net/viewcvs.py/coppermine/stable/displayimage.php
Logged
There are 2 kinds of users in this world: satisfied and complainers.
Why do we never hear something from the satisfied users?
http://coppermine-gallery.net/forum/index.php?topic=24315.0

Albert

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #50 on: September 24, 2005, 12:19:56 pm »

I've started thread /var/www/cpg134/displayimage.php on line 334 and if I understand this thread right, the problem should be fixed with newest downloads, but I used a download of yesterday. Maybe I had an old version in my cache. It would be good, if there is a md5sum at the website.

With this version I got the error:
b1b10229422583bdad5ca4ff44281ac5  cpg1.3.4.zip

I would like to add, that some exif and IPTC-fields are empty, although the info is in the image. Every Comment contains at the beginning ASCII
Logged

Albert

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #51 on: September 24, 2005, 08:56:58 pm »

A few minutes ago I downloaded cpg1.3.4.zip from 3 different locations and md5sum still is b1b10229422583bdad5ca4ff44281ac5, which produces errors here. Does this version work for others or do we have to be patient for a new version? It is not a problem for me if it takes days, if the problem is solved, I want to know only, if I have to wait.
Logged

donnoman

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1615
  • From donovanbray.com
    • Donovan Bray
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #52 on: October 04, 2005, 05:19:09 pm »

I think that you made a mistake in your first post...
I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim

Quote

I think I may have been the dev that changed those two lines to !empty because in working with a specific image I uncovered the fact that isset will return true if its passed a null array. !empty will return false which is the reaction I felt was most appropriate.
Logged

Hekimoglu

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #53 on: July 22, 2006, 02:33:41 pm »

Hello,

I have fixed displayimage.php but ı have an error when ı clik on photos..


Code: [Select]
Parse error: parse error, unexpected  ......../modules/coppermine/displayimage.php on line 577
Can you Help me???
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #54 on: July 23, 2006, 06:53:40 am »

Means that you haven't applied the fix as suggested. You should perform the actual upgrade instead of trying to fix only parts, especially if you don't understand what a parse error is. Don't clutter this thread with individual support requests.
Logged
Pages: 1 2 [3]   Go Up
 

Page created in 0.034 seconds with 21 queries.