Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2] 3   Go Down

Author Topic: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*  (Read 146949 times)

0 Members and 1 Guest are viewing this topic.

MerNion

  • Coppermine newbie
  • Offline Offline
  • Posts: 14
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #20 on: August 23, 2005, 10:49:48 am »

  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
Some of us have heavilu modified the viewimage.php file to meet our needs. If we just make the changes you mentioned (find/replace), would that be ok to fix the problem?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #21 on: August 23, 2005, 10:52:24 am »

viewimage.php: there's no such file in the coppermine distribution afaik, but if you're refering to displayimage.php: yes, it's safe to just do the suggested changes in the code - that's why we posted them.
Logged

Makc666

  • Translator
  • Coppermine addict
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Русский (ISO-8859-1) - Russian - Ğóññêèé (Windows)
    • Makc's home page
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #22 on: August 24, 2005, 12:14:03 am »

1. Difference between 1.3.3 and 1.3.4 is only that fix??

2. I checked displayimage.php from 1.3.3 archive donwloaded from this site and there is no such block of code as:
Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

There is block of code:
Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

I think that you made a mistake in your first post...
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #23 on: August 24, 2005, 10:36:08 am »

1. Difference between 1.3.3 and 1.3.4 is only that fix??
No, minor changes and fixes are made all the time in the cvs. When a new package gets released, those fixes go into the package as well. None of the other fixes are security-related, so I didn't post them. The security fix is not the only difference between cpg1.3.3 and cpg1.3.4

I think that you made a mistake in your first post...
I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #24 on: August 24, 2005, 12:31:19 pm »

He He!
@Makc666 - I wouldn't bother about the change between the two code blocks ;)
Logged
SANIsoft PHP applications for E Biz

ramppi

  • Contributor
  • Coppermine newbie
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 14
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #25 on: August 25, 2005, 10:23:42 am »

Some error, when replacing those two 'pices' of code (first post)

Quote
Parse error: parse error, unexpected T_STRING in /home/XXXXXX/public_html/galleria/displayimage.php on line 310

310 is that Aditya-line

regards
Matti
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #26 on: August 25, 2005, 11:55:50 am »

You must have missed a / from that line. Make sure that there are two forward slashes (//) at the begining of the line.
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

ramppi

  • Contributor
  • Coppermine newbie
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 14
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #27 on: August 25, 2005, 05:36:05 pm »

Aditya,

I had both '/' but it was something to do with 'spaces'. I copy/pasted the code snippet from forum. And then it gave those string errors.
After tabulating it once more (taking off the 'white space' + adding it by tab)) line after line the string error moved line by line also (310,311..) ... and corrected.
(problem was only in the first snippet). Funny, cause when looking, you can't see any difference. But so it went.

Thank You for Your time Aditya

Matti
Logged

wprowe

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 32
    • Music, Travel, Outdoor, Nature and Wildlife Photography
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #28 on: August 25, 2005, 08:30:06 pm »

In this block of code:

Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

Find the lines that reference "implode", change the "isset" to "!empty" at the beginning to fix the error you are seeing. I did that for mine and it resolved that error message.
Logged
Walter Rowe
Music, Travel, Outdoor, Nature and Wildlife Photography

Absoblogginlutely

  • Coppermine newbie
  • Offline Offline
  • Posts: 16
    • http://absoblogginlutely.net/gallery
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #29 on: September 05, 2005, 08:54:10 pm »

Is there an announcement mailing list that is available so that I can be warned that there are problems like this rather than finding it out because I happened to see a post on another website? Either an email list or a rss feed would be great. The Rss feed on sourceforge for announcements doesn't mention this security hole.
Logged

Nibbler

  • Guest
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #30 on: September 05, 2005, 08:59:35 pm »

You can subscribe to the announcments thread if you go to here and then click 'notify'.
Logged

stilgar

  • Contributor
  • Coppermine newbie
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 12
    • Stilglog
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #31 on: September 05, 2005, 11:24:36 pm »

Hi ! You should probably mention the version change to 1.3.4 in the Changelog. Would have saved me 20 min diffing  1.3.3 and 1.3.4... 
 
edit:
 that sounded a bit harsh maybe. i realize you have better things to do than work on 1.3 . Thanks for the great work and all the info on the forum!
« Last Edit: September 06, 2005, 01:59:52 am by stilgar »
Logged

Rickshaw Driver

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #32 on: September 06, 2005, 11:46:20 pm »

In this block of code:

Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

Find the lines that reference "implode", change the "isset" to "!empty" at the beginning to fix the error you are seeing. I did that for mine and it resolved that error message.

Thanks, this fix worked.  Can someone from the dev team confirm that this fix is safe to use?  I am not a programmer and don't know what this actually does to the code.  Thank you.
Logged

DJMaze

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Posts: 831
    • Dragonfly CMS
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #33 on: September 10, 2005, 04:45:44 pm »

To fix the issues with arrays use
Code: [Select]
if (isset($iptc) && is_array($iptc)) {
if (isset($iptc['Title'])) $info[IPTCTITLE] = strip_tags(trim($iptc['Title'],"\x0..\x1f"));
if (isset($iptc['Copyright'])) $info[IPTCCOPYRIGHT] = strip_tags(trim($iptc['Copyright'],"\x0..\x1f"));
if (!empty($iptc['Keywords'])) $info[IPTCKEYWORDS] = strip_tags(trim(implode(' ',$iptc['Keywords']),"\x0..\x1f"));
if (isset($iptc['Category'])) $info[IPTCCATEGORY] = strip_tags(trim($iptc['Category'],"\x0..\x1f"));
if (!empty($iptc['SubCategories'])) $info[IPTCSUBCATEGORIES] = strip_tags(trim(implode(' ',$iptc['SubCategories']),"\x0..\x1f"));
}
This way you don't run the 'one level' foreach() on the array
Logged
There are 2 kinds of users in this world: satisfied and complainers.
Why do we never hear something from the satisfied users?
http://coppermine-gallery.net/forum/index.php?topic=24315.0

judyksp

  • Coppermine newbie
  • Offline Offline
  • Posts: 6
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #34 on: September 11, 2005, 07:31:50 am »

I have version 1.3.3 from Fantastico.  Fantastico was provided by my webhost (Voda Host).   I upgraded coppermine using the txt file you provided and renamed it.

Since the upgrade I can no longer go into my website for coppermine.  It says MySQL too many connection error.  What is wrong?

Judy
Logged

artistsinhawaii

  • VIP
  • Coppermine addict
  • ***
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 856
    • evj art and photography
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #35 on: September 11, 2005, 12:29:53 pm »

judy,

That error messae has nothing to do with Coppermine and everything to do with your server.  These are usually temporary problems that will go away, it's just the number of connections to your host/server's MySQL server is greater than the number allowed.  If it happens too frequently, ask your hosting service about it.

Dennis
Logged
Learn and live ... In January of 2011, after a botched stent attempt, the doctors told me I needed a multiple bypass surgery or I could die.  I told them I needed new doctors.

eskan

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #36 on: September 12, 2005, 06:30:24 pm »

i huv a problm, i just upgrade the cpg but the vulnerability still working, or maybe is another.. dont know, well u can see the web http://www.canalgogo.com/ and the XSS http://www.canalgogo.com/displayimage.php?album=5%20&pos=3%22%3Eblablabla%3C/h1%3E

i have really update? or its another bug?
Thx for answering
Logged

Aditya Mooley

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 781
    • My Sweet Home
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #37 on: September 13, 2005, 07:35:29 am »

Yes at first glance, language selector has a potential for XSS atleast in 1.3.x version of CPG.
The problem seems to have been solved in 1.4.x

Immediate recommendation is, do not use language selectors.
We will investigate furthur and post the fix if necessory.
« Last Edit: September 13, 2005, 07:42:27 am by Aditya Mooley »
Logged
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

kkerr

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #38 on: September 17, 2005, 02:44:07 am »

Hello, I upgraded my original CPG 1.33 to the CPG 1.34 version available "with the fix" written into it. performed the update.php etc

Initially 
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

So I then renamed and replaced the displayimage.php in hopes it would help,this changed the error to:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 338

Thus, your suggestions are welcome.
Logged

kkerr

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #39 on: September 17, 2005, 02:47:32 am »

If it helps, here is the current related code I am using:


 if (isset($iptc) && is_array($iptc)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($iptc as $key=>$data) {
          $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }
Logged
Pages: 1 [2] 3   Go Up
 

Page created in 0.027 seconds with 22 queries.