Advanced search  

News:

cpg1.5.44 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.42 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability  (Read 95805 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

The Coppermine dev team announces the release of cpg1.4.6.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. It takes care as well of the ".rar"-exploit (that actually isn't a Coppermine bug, but a badly implemented feature of the Apache webserver that needed fixing). All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).

The new package contains all language files that existed up till now (compared to cpg1.4.5, a few new language files have been added).

Get the new release cpg1.4.6 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.6.zip?download

As suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc.php with a plain-text editor, find
Code: [Select]
function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;

  return str_replace($forbidden_chars[0], '_', $str);
}
and replace with
Code: [Select]
function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;
  $return = str_replace($forbidden_chars[0], '_', $str);

  /**
  * Fix the obscure, misdocumented "feature" in Apache that causes the server
  * to process the last "valid" extension in the filename (rar exploit): replace all
  * dots in the filename except the last one with an underscore.
  */
  // This could be concatenated into a more efficient string later, keeping it in three
  // lines for better readability for now.
  $extension = ltrim(substr($return,strrpos($return,'.')),'.');
  $filenameWithoutExtension = str_replace('.' . $extension, '', $return);
  $return = str_replace('.', '_', $filenameWithoutExtension) . '.' . $extension;

  return $return;
}

The maintenance release cpg1.4.6 of course contains all previous fixes of the 1.4-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim
- Coppermine project manager -
« Last Edit: May 19, 2006, 09:42:58 PM by GauGau »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

This might not be obvious to everybody: the maintenance release and hotfix will not cure infected webspace (i.e. pages that have fallen victim to the xxx.php.rar exploit). It will only keep sites that haven't been hit by the attack so far from being vulnerable.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

I removed a reply to this thread for the same reason I posted in my edit at the top of "    
Patch file from 1.4.4 to 1.4.5 for modified by MODs sites
". Start a thread of your own, and don't make your reply stand out unnecesarily. The method descibed in your posting is not meant for everybody, only for very advanced users. Those advanced users should be capable to follow your instructions in the thread mentioned above.
Logged

pacimir

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 34

What about 1.3.5 ?
Is there fix for it ?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.
Logged

birddog

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 32
    • DankSite.Com

 Thank you GauGau for update.
« Last Edit: June 12, 2006, 07:39:18 AM by birddog »
Logged

jon_miner

  • Coppermine newbie
  • Offline Offline
  • Posts: 3

yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.

1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

jon
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Paul Van Rompay

1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

Let's try some understanding.  I think it's clear from Joachim's post that he assumed the hotfix works for 1.3.x.  This is a mistaken assumption, but that's all it is: a mistake.

So let's move on and address your report that the hotfix is not applicable to 1.3.x since there is no function replace_forbidden().  I am looking into writing a hotfix now.  It will be slightly more complicated than the 1.4.x fix.  We need to move this discussion to the cpg1.3 board.  I don't think there's a thread over there now.  I'll post once I have written the hotfix with a link here.

edit: Instead of "now", let's say "today or tomorrow".  There are about a dozen or so forbidden-character replacements in 5 scripts for 1.3.5.  Now I see why a separate function is useful.  I'm thinking adding the function and then replacing those 5 references to function calls is probably the best way to go (and easiest to write up as a hotfix).
« Last Edit: June 10, 2006, 03:01:44 AM by Paver »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?
As Paver suggested: there apparently is no hotfix for cpg1.3.x available yet. I'm glad he volunteered to come up with one.
Please keep in mind though that support for cpg1.3.x is running out pretty soon. All who run cpg1.3.x should seriously consider upgrading now.
I find it rude though to reply with cpg1.3.x issues on a thread that is clearly labelled cpg1.4.x-only, with a clear statement in the initial announcement not to post unrelated things, as you're making this thread useless for the users it was intended for (the vast majority of coppermine users is already running cpg1.4.x).
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Paul Van Rompay

The HOTFIX for Coppermine 1.3.x is available here:
http://forum.coppermine-gallery.net/index.php?topic=32537.0

If you have any questions at all, support or otherwise, reply to that post, *not* here.
Logged

Xerom

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
« Reply #10 on: November 06, 2009, 06:06:12 AM »

This has been fixed by coppermine, however if you want to know how to deny execution of scripts in any folder, you can create a .htaccess file and place it into the folder then add the following to it:

RemoveHandler cgi-script .pl .py .jsp .asp .htm .shtml .sh .cgi .php
RemoveHandler php5-script .php

Instead of executing the script it just displays the script code as text in the browser

As a precaution I placed this in /albums/userpics/.htaccess and /albums/edit/.htaccess seems to have solved my problem and peace of mind.
Logged
Pages: [1]   Go Up
 

Page created in 0.077 seconds with 20 queries.