forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Joachim Müller on August 19, 2005, 08:37:27 am

Title: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 19, 2005, 08:37:27 am
A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4 (http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download)
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]

Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: pirx on August 19, 2005, 11:02:40 am
Hi,

I replaced displayimage.php with the attached version. Now I get the following error messages:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

Ralf
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Tarique Sani on August 19, 2005, 11:39:47 am
Had you enabled IPTC info before applying the above file - the line numbers you are saying are not the ones that were changed

[edit]
Yes - you are right bug is a side effect of the security fix :(
[/]edit]
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: pirx on August 19, 2005, 12:43:25 pm
Hi,

the new displayimage.php fixed the problem. Thank you!

Ralf
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: stock on August 19, 2005, 12:56:30 pm
Just wanted to check you mean the yellow band that kept coming up with pic info on it? I did wonder and was going to ask, but now this seem to have cured it thanks.

Stock
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: vuud on August 21, 2005, 07:56:45 pm

Hi,

First off thanks for the work in releasing a security fix!

Second, how does it affect the beta 1.4?

Thanks

Vuud
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: kegobeer on August 21, 2005, 09:32:36 pm
Grab the latest files from the CVS and you'll be good to go.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: vuud on August 21, 2005, 09:40:55 pm
Grab the latest files from the CVS and you'll be good to go.

Okay! 

Thanks
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: TranzNDance on August 21, 2005, 10:30:11 pm
If someone does not allow other people to upload files, would this keep the gallery from being vulnerable to this?
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: autumn_whispers2me on August 22, 2005, 12:21:46 am
I'm running XP and am used to 2000 prof.  XP doesn't seem to allow extension changes, so how would I change the file from .txt to .php ?  Thanks.  :)
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: kegobeer on August 22, 2005, 12:35:25 am
Tools - folder options - view - hide extensions for known file types.  Rename away.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 22, 2005, 07:51:51 am
I have just released the new package cpg1.3.4 that contains above mentioned fix - see the very first posting in this thread.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: maolu on August 22, 2005, 12:42:52 pm
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4 (http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download)
[/edit]

Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware.
I tested on several machines and since this thing started this morning (italian time) i suppose it's related to this bug, but even if i upload the new coppermine version (1.3.4) the problem still remains.

I have to say the problem appears ONLY in Coppermine's pages and you can find it here (if you dare...) www.maolu.it/gallery

Could this be related to the XSS vulnerability?

A kind thanks for your work
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: maolu on August 22, 2005, 12:43:39 pm
OK solved...

i wasn't able to see the changings 'cause of my workingplace's proxy.

Excuseme everybody
 :-[
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: canelli on August 22, 2005, 04:23:04 pm
Quote
Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware

I'm visiting your gallery and no strange action take place.  You are not using exiff data in your picture. so your problems are not related with tihs bug.  Check your PC, clear the bowser cache, and try again

claudio
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 22, 2005, 05:59:23 pm
maolu has already resolved the issues he/she experienced: it wasn't coppermine acting up, but improper proxy settings. The whole issue is not related to the XSS vulnerability nor the fix, so I'm marking the postings that deal with it as "invalid".

@all: please do only reply to announcement threads like this one if you have something to say that everyone could benefit from (e.g. a broken link or similar). Individual issues you might consider to be related to XSS vulnerabilities should not go into this thread - start a new thread instead on the support board. Help us to keep announcement threads clean and focused on the issues they deal with. If announcement threads drift to much or contain irrelevant information, other users might miss important stuff because of the "background noise". We had to lock most announcement threads soon after they were started because people replied with irrelevant issues. Try not to mess with this thread as well, it'd be a pity if we had to lock it as we had to in the past.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: odie3 on August 22, 2005, 07:33:26 pm
Question:

This file [displayimage.php] makes a Coppermine install 1.3.3 into 1.3.4?  Or should 1.3.3 users download 1.3.4 release and upgrade?  I hope this reply is okay in this thread, if not sorry.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 22, 2005, 07:59:17 pm
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: odie3 on August 22, 2005, 08:02:05 pm
Yes I read that but I guess what I really wanted to know if I should update my Coppermine to version 1.3.4 [which I assume is stored in the DB].
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Nibbler on August 22, 2005, 08:23:35 pm
You don't need to do anything with your database. The version number is stored in include/init.inc.php
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: MerNion on August 23, 2005, 10:49:48 am
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
Some of us have heavilu modified the viewimage.php file to meet our needs. If we just make the changes you mentioned (find/replace), would that be ok to fix the problem?
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 23, 2005, 10:52:24 am
viewimage.php: there's no such file in the coppermine distribution afaik, but if you're refering to displayimage.php: yes, it's safe to just do the suggested changes in the code - that's why we posted them.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Makc666 on August 24, 2005, 12:14:03 am
1. Difference between 1.3.3 and 1.3.4 is only that fix??

2. I checked displayimage.php from 1.3.3 archive donwloaded from this site and there is no such block of code as:
Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

There is block of code:
Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

I think that you made a mistake in your first post...
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on August 24, 2005, 10:36:08 am
1. Difference between 1.3.3 and 1.3.4 is only that fix??
No, minor changes and fixes are made all the time in the cvs. When a new package gets released, those fixes go into the package as well. None of the other fixes are security-related, so I didn't post them. The security fix is not the only difference between cpg1.3.3 and cpg1.3.4

I think that you made a mistake in your first post...
I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Tarique Sani on August 24, 2005, 12:31:19 pm
He He!
@Makc666 - I wouldn't bother about the change between the two code blocks ;)
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: ramppi on August 25, 2005, 10:23:42 am
Some error, when replacing those two 'pices' of code (first post)

Quote
Parse error: parse error, unexpected T_STRING in /home/XXXXXX/public_html/galleria/displayimage.php on line 310

310 is that Aditya-line

regards
Matti
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Aditya Mooley on August 25, 2005, 11:55:50 am
You must have missed a / from that line. Make sure that there are two forward slashes (//) at the begining of the line.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: ramppi on August 25, 2005, 05:36:05 pm
Aditya,

I had both '/' but it was something to do with 'spaces'. I copy/pasted the code snippet from forum. And then it gave those string errors.
After tabulating it once more (taking off the 'white space' + adding it by tab)) line after line the string error moved line by line also (310,311..) ... and corrected.
(problem was only in the first snippet). Funny, cause when looking, you can't see any difference. But so it went.

Thank You for Your time Aditya

Matti
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: wprowe on August 25, 2005, 08:30:06 pm
In this block of code:

Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

Find the lines that reference "implode", change the "isset" to "!empty" at the beginning to fix the error you are seeing. I did that for mine and it resolved that error message.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Absoblogginlutely on September 05, 2005, 08:54:10 pm
Is there an announcement mailing list that is available so that I can be warned that there are problems like this rather than finding it out because I happened to see a post on another website? Either an email list or a rss feed would be great. The Rss feed on sourceforge for announcements doesn't mention this security hole.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Nibbler on September 05, 2005, 08:59:35 pm
You can subscribe to the announcments thread if you go to here (http://forum.coppermine-gallery.net/index.php?board=58.0) and then click 'notify'.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: stilgar on September 05, 2005, 11:24:36 pm
Hi ! You should probably mention the version change to 1.3.4 in the Changelog. Would have saved me 20 min diffing  1.3.3 and 1.3.4... 
 
edit:
 that sounded a bit harsh maybe. i realize you have better things to do than work on 1.3 . Thanks for the great work and all the info on the forum!
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Rickshaw Driver on September 06, 2005, 11:46:20 pm
In this block of code:

Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (isset($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (isset($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

Find the lines that reference "implode", change the "isset" to "!empty" at the beginning to fix the error you are seeing. I did that for mine and it resolved that error message.

Thanks, this fix worked.  Can someone from the dev team confirm that this fix is safe to use?  I am not a programmer and don't know what this actually does to the code.  Thank you.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: DJMaze on September 10, 2005, 04:45:44 pm
To fix the issues with arrays use
Code: [Select]
if (isset($iptc) && is_array($iptc)) {
if (isset($iptc['Title'])) $info[IPTCTITLE] = strip_tags(trim($iptc['Title'],"\x0..\x1f"));
if (isset($iptc['Copyright'])) $info[IPTCCOPYRIGHT] = strip_tags(trim($iptc['Copyright'],"\x0..\x1f"));
if (!empty($iptc['Keywords'])) $info[IPTCKEYWORDS] = strip_tags(trim(implode(' ',$iptc['Keywords']),"\x0..\x1f"));
if (isset($iptc['Category'])) $info[IPTCCATEGORY] = strip_tags(trim($iptc['Category'],"\x0..\x1f"));
if (!empty($iptc['SubCategories'])) $info[IPTCSUBCATEGORIES] = strip_tags(trim(implode(' ',$iptc['SubCategories']),"\x0..\x1f"));
}
This way you don't run the 'one level' foreach() on the array
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: judyksp on September 11, 2005, 07:31:50 am
I have version 1.3.3 from Fantastico.  Fantastico was provided by my webhost (Voda Host).   I upgraded coppermine using the txt file you provided and renamed it.

Since the upgrade I can no longer go into my website for coppermine.  It says MySQL too many connection error.  What is wrong?

Judy
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: artistsinhawaii on September 11, 2005, 12:29:53 pm
judy,

That error messae has nothing to do with Coppermine and everything to do with your server.  These are usually temporary problems that will go away, it's just the number of connections to your host/server's MySQL server is greater than the number allowed.  If it happens too frequently, ask your hosting service about it.

Dennis
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: eskan on September 12, 2005, 06:30:24 pm
i huv a problm, i just upgrade the cpg but the vulnerability still working, or maybe is another.. dont know, well u can see the web http://www.canalgogo.com/ and the XSS http://www.canalgogo.com/displayimage.php?album=5%20&pos=3%22%3Eblablabla%3C/h1%3E

i have really update? or its another bug?
Thx for answering
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Aditya Mooley on September 13, 2005, 07:35:29 am
Yes at first glance, language selector has a potential for XSS atleast in 1.3.x version of CPG.
The problem seems to have been solved in 1.4.x

Immediate recommendation is, do not use language selectors.
We will investigate furthur and post the fix if necessory.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: kkerr on September 17, 2005, 02:44:07 am
Hello, I upgraded my original CPG 1.33 to the CPG 1.34 version available "with the fix" written into it. performed the update.php etc

Initially 
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

So I then renamed and replaced the displayimage.php in hopes it would help,this changed the error to:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 338

Thus, your suggestions are welcome.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: kkerr on September 17, 2005, 02:47:32 am
If it helps, here is the current related code I am using:


 if (isset($iptc) && is_array($iptc)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($iptc as $key=>$data) {
          $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on September 17, 2005, 11:03:20 am
please use the code from the cvs, stable branch
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: bazil749 on September 20, 2005, 06:23:07 am
As of 2nite 9/19/05 the ver. 1.3.4 that is up for download DOES NOT contain the fix.

I had to get it from this file....

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  • users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
    Code: [Select]
        if (isset($exif) && is_array($exif)) {and replace with
    Code: [Select]
        if (isset($exif) && is_array($exif)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($exif as $key=>$data) {
              $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
    Next, find
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    and replace with
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($iptc as $key=>$data) {
              $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    .
     Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  • users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  • users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4 (http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download)
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]


Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on September 20, 2005, 08:18:50 am
it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: bazil749 on September 20, 2005, 01:02:09 pm
No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Aditya Mooley on September 20, 2005, 01:36:16 pm
Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: bazil749 on September 20, 2005, 01:52:05 pm
That link didin't work for me.  I used a couple differnet mirrors, this one for instance:

http://internap.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip


Hey, I'm not trying to accuse anyone of anything, I'm just saying that it ain't working for me.  Maybe the "fixes" are a bit different in truth, but the only thing that worked for me is the fix on this page...

Once again like I said, I never knew bout this problem before upgrading to the stable version I downloaded tonight.  Or maybe it's my configuration or something, who knows.  I'm just trying to help other people not go through the hours I spent trying to fix this.  Cuz when I read that the downloaded version was fixed, I was pulling my hair out wondering why it doesn't work.

Maybe you should just stick the fix here in the stable version instead of the "other" fix.  Just out of curiousity, what was the "other" fix?

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: bazil749 on September 20, 2005, 01:55:44 pm
I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Aditya Mooley on September 20, 2005, 02:04:50 pm
I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: bazil749 on September 20, 2005, 02:08:03 pm
Well I'm sorry to say that it's not working.  Maybe you need to check it again, but it's not working for me.  Maybe it's due to my particular images, who knows.  One thing is that I didn't get this error on all my images.  I don't know why.  And of course I don't get it at all if I turn the IPTC on Jpegs off completely.

Just trying to help here guys....

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: DJMaze on September 24, 2005, 05:13:18 am
Probably fixed the issue check revision 1.15 (should be available within 3 hours)
http://cvs.sourceforge.net/viewcvs.py/coppermine/stable/displayimage.php
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Albert on September 24, 2005, 12:19:56 pm
I've started thread /var/www/cpg134/displayimage.php on line 334 and if I understand this thread right, the problem should be fixed with newest downloads, but I used a download of yesterday. Maybe I had an old version in my cache. It would be good, if there is a md5sum at the website.

With this version I got the error:
b1b10229422583bdad5ca4ff44281ac5  cpg1.3.4.zip

I would like to add, that some exif and IPTC-fields are empty, although the info is in the image. Every Comment contains at the beginning ASCII
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Albert on September 24, 2005, 08:56:58 pm
A few minutes ago I downloaded cpg1.3.4.zip from 3 different locations and md5sum still is b1b10229422583bdad5ca4ff44281ac5, which produces errors here. Does this version work for others or do we have to be patient for a new version? It is not a problem for me if it takes days, if the problem is solved, I want to know only, if I have to wait.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: donnoman on October 04, 2005, 05:19:09 pm
I think that you made a mistake in your first post...
I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim

Quote

I think I may have been the dev that changed those two lines to !empty because in working with a specific image I uncovered the fact that isset will return true if its passed a null array. !empty will return false which is the reaction I felt was most appropriate.
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Hekimoglu on July 22, 2006, 02:33:41 pm
Hello,

I have fixed displayimage.php but ı have an error when ı clik on photos..


Code: [Select]
Parse error: parse error, unexpected  ......../modules/coppermine/displayimage.php on line 577
Can you Help me???
Title: Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
Post by: Joachim Müller on July 23, 2006, 06:53:40 am
Means that you haven't applied the fix as suggested. You should perform the actual upgrade instead of trying to fix only parts, especially if you don't understand what a parse error is. Don't clutter this thread with individual support requests.