forum.coppermine-gallery.net
No Support => Announcements => Topic started by: Tarique Sani on February 18, 2006, 01:41:45 pm
-
A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.
To manually patch your install open the file include/init.inc.php find the line
$USER['lang'] = $_GET['lang'];
This is around line 301 and replace it with the line below
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
next open the file docs/showdocs.php find the line
@include($file);
This is around line 51 and replace it with the line below
@include('index.htm');
Thats it! If editing code is not your cup of tea then use the files in the zip attached
Thanks to rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this
Once again - this is a nasty one - PATCH NOW! or be OWNED!!
[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible (http://forum.coppermine-gallery.net/index.php?topic=28445.0)"
[/edit]
-
Thank you Tarique, Amit, and Abbas. :)
I tried using CVS to do the update but the changes weren't there so I have committed the changes.
-
Patch applied. And I was just about to bridge my two forums, too.
$USER['lang'] = $_GET['lang'];
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
@include($file);
@include('index.htm');
Would you please explain what these four codes do, and how they related to the remote code execution flaw?
-
It is generally best to avoid giving a "how to" on security issues. If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.
-
On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".
Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.
Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.
As Tarique described it: "This is a nasty one".
-fredag
-
1) cpg1.3.x isn't affected by the vulnerability as far as I can tell
2) we're currently working on a maintenance release
-
@freedag: Given the fact that only two files need to be replaced asking people to reinstall everything is being a plain PIA - for those who cannot patch a zip with correct files was provided...
While I agree that the website front page should be updated ASAP the points mentioned by Gaugau stand.
@Gaugau - time we declared 1.3.x as unsupported and removed all those downloads - Upgrade or perish!
-
It's the same fix for 1.3, which is vulnerable.
find
$USER['lang'] = $HTTP_GET_VARS['lang'];
replace with
$USER['lang'] = ereg("^[a-z0-9_-]*$", $HTTP_GET_VARS['lang']) ? $HTTP_GET_VARS['lang'] : $CONFIG['lang'];
-
I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly ;D
-
I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly ;D and if i do have to add the patch where do i exactly put it...keep in mind im computer stupid at this point but i did manage to get it up and running lastnight :)
-
yes, you have to apply the patch as well. Right now we're preparing a cpg1.4.4 maintenance release that will include the fix.
CPG1.4.3 or older doesn't contain the fix, you have to apply it manually.
-
ughhhhh i just new your were going to szay that...im not very good at php...and do i also have to download the maintaince as well.???..I assumed that the 1.43 was stable..and had all the upgrades thanks for your help!
-
If you know how to make a backup copy of the file (for just in case), and edit text in wordpad or notepad, you can do it.
Or you can download the attachment that contains the files in the first post.
-
well see i took a basic html course and opened up crimson editor search found and saved what i needed...now i just need to up load these new files to my website. plus i had my hubby stand behind me while i was doing it lol hes a computer tech person he can write java but not php... thanks for all your help :)
-
Applied!
thanks!
-
I think this illustrates the usefulness of an announcements RSS feed. I have subscribed to this forum for now, but RSS is obviously the way forward. It would be quite simple to hand-code a static RSS file for the purpose. Please consider this...
-
RSS feed is planned.
-
has anyone noticed a slower load time? I can't tell if it's the patch or my isp..
-
Any slowdown caused by the patch would be insignificant.
-
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible (http://forum.coppermine-gallery.net/index.php?topic=28445.0)"
-
I am using a moded 1.4.3, I would like to know which files were modified in the 1.4.4 release, so I can upgrade safely without loosing all the mods. Will it be sufficient, if I only apply the hotfix above ? Thanks
-
Other files were modified to incorporate bug fixes listed on the bugs board. The documentation was also improved, notably with a more complete plugin section.
Download version 1.4.4 and you can do a "diff" with your current files to see the differences. Or set up CVS on your computer so you can do updates with the Coppermine CVS: http://sourceforge.net/cvs/?group_id=89658 (http://sourceforge.net/cvs/?group_id=89658).
-
Thanks. will do that. But in the meantime the hotfix should be ok, right?
-
Yes, the hotfix described in this thread takes care of the only critical bug that must be fixed.
-
I think this illustrates the usefulness of an announcements RSS feed. I have subscribed to this forum for now, but RSS is obviously the way forward. It would be quite simple to hand-code a static RSS file for the purpose. Please consider this...
RSS already exists in all SMF forums, though you can't narrow down which forum to see. I added the feed to my google home page.
-
Have a question related to this situation. I performed the update recommended by my server by using Fantasico. This of course caused my settings to change and not allow an unregistered user to view my album. Clicking on the allow button would not work because the settings would not save, so I got on here to look for the answer. I saw your manual installation of the code and did that, which got my album back to public, however now I can not login on the admin page anymore. It appears that my login and password are gone or it's not looking for it in the right place. So which file does that code live? Can I go back into that file and add my info without to much pain?
Thanks.
-
@rbess: You posted your support question on the upgrade board where it belongs. Please do not double-post. If you think your issues are related to this fix, reference it on your original post; don't post in both places.
At first glance, I cannot see how your problems are related to the fix described in this thread. Regardless, please keep your support question in the appropriate thread so it can be tracked and resolved in an organized manner.
-
Some lines above from the vulnerable point I find this:
"// Process theme selection if present in URI or in user profile
if (!empty($HTTP_GET_VARS['theme'])) {
$USER['theme'] = $HTTP_GET_VARS['theme'];"
isnt this the same problem of overtaking unproved "_GET[]".??
-
as this seems to cause confusion for some users: the fix mentioned in this thread has gone into cpg1.4.4. However, applying this patch to a cpg1.4.3 install doesn't make it a cpg1.4.4 gallery. There are a lot of other minor bug fixes has gone into cpg1.4.4 as well.
Users should not only apply this patch, but actually upgrade to cpg1.4.4 as suggested in the upgrade section of the docs that come with the new package.
-
Split unrelated reply to this announcement thread into a separate thread cpg1.4 upgrading (http://forum.coppermine-gallery.net/index.php?board=59).
http://forum.coppermine-gallery.net/index.php?topic=29192.0 (http://forum.coppermine-gallery.net/index.php?topic=29192.0)
From now on, all unrelated replies and individual support requests to this thread will get deleted without further notice, the posters will be banned for a week >:(.