forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Tarique Sani on February 18, 2006, 01:41:45 pm

Title: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Tarique Sani on February 18, 2006, 01:41:45 pm
A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.

To manually patch your install open the file include/init.inc.php find the line
Code: [Select]
$USER['lang'] = $_GET['lang'];  This is around line 301 and replace it with the line below
Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
next open the file docs/showdocs.php find the line
Code: [Select]
@include($file);
This is around line 51 and replace it with the line below
Code: [Select]
@include('index.htm');

Thats it! If editing code is not your cup of tea then use the files in the zip attached

Thanks to  rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this

Once again - this is a nasty one - PATCH NOW! or be OWNED!!

[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible (http://forum.coppermine-gallery.net/index.php?topic=28445.0)"
[/edit]
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: TranzNDance on February 18, 2006, 07:49:54 pm
Thank you Tarique, Amit, and Abbas. :)

I tried using CVS to do the update but the changes weren't there so I have committed the changes.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: no1wammy on February 21, 2006, 10:33:10 pm
Patch applied. And I was just about to bridge my two forums, too.

Code: [Select]
$USER['lang'] = $_GET['lang'];
Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
Code: [Select]
@include($file);
Code: [Select]
@include('index.htm');
Would you please explain what these four codes do, and how they related to the remote code execution flaw?
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Paver on February 22, 2006, 07:37:40 am
It is generally best to avoid giving a "how to" on security issues.  If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: fredag on February 22, 2006, 11:00:38 am
On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".

Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.

Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.

As Tarique described it: "This is a nasty one".


-fredag
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Joachim Müller on February 22, 2006, 11:13:01 am
1) cpg1.3.x isn't affected by the vulnerability as far as I can tell
2) we're currently working on a maintenance release
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Tarique Sani on February 22, 2006, 11:30:00 am
@freedag: Given the fact that only two files need to be replaced asking people to reinstall everything is being a plain PIA - for those who cannot patch a zip with correct files was provided...

While I agree that the website front page should be updated ASAP the points mentioned by Gaugau stand.

@Gaugau - time we declared 1.3.x as unsupported and removed all those downloads - Upgrade or perish!
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Nibbler on February 22, 2006, 02:29:52 pm
It's the same fix for 1.3, which is vulnerable.

find

Code: [Select]
$USER['lang'] = $HTTP_GET_VARS['lang'];
replace with

Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $HTTP_GET_VARS['lang']) ? $HTTP_GET_VARS['lang'] : $CONFIG['lang'];
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: SpearCreations on February 22, 2006, 03:59:29 pm
I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: SpearCreations on February 22, 2006, 04:04:24 pm
I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D and if i do have to add the patch where do i exactly put it...keep in mind im computer stupid at this point but i did manage to get it up and running lastnight :)
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Joachim Müller on February 22, 2006, 04:05:07 pm
yes, you have to apply the patch as well. Right now we're preparing a cpg1.4.4 maintenance release that will include the fix.
CPG1.4.3 or older doesn't contain the fix, you have to apply it manually.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: SpearCreations on February 22, 2006, 04:40:34 pm
ughhhhh i just new your were going to szay that...im not very good at php...and do i also have to download the maintaince as well.???..I assumed that the 1.43 was stable..and had all the upgrades thanks for your help!
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: TranzNDance on February 22, 2006, 04:46:26 pm
If you know how to make a backup copy of the file (for just in case), and edit text in wordpad or notepad, you can do it.

Or you can download the attachment that contains the files in the first post.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: SpearCreations on February 22, 2006, 04:54:57 pm
well see i took a basic html course and opened up crimson editor search found and saved what i needed...now i just need to up load these new files to my website. plus i had my hubby stand behind me while i was doing it lol hes a computer tech person he can write java but not php... thanks for all your help  :)
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Fotomaf on February 22, 2006, 05:51:04 pm
Applied!

thanks!
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: solarian on February 25, 2006, 06:07:12 pm
I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Nibbler on February 25, 2006, 06:08:01 pm
RSS feed is planned.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Fabrian on February 26, 2006, 02:40:44 am
has anyone noticed a slower load time?  I can't tell if it's the patch or my isp..
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Nibbler on February 26, 2006, 03:59:34 am
Any slowdown caused by the patch would be insignificant.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Joachim Müller on February 26, 2006, 01:51:39 pm
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible (http://forum.coppermine-gallery.net/index.php?topic=28445.0)"
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: lordprodigy on February 28, 2006, 12:10:26 am
I am using a moded 1.4.3, I would like to know which files were modified in the 1.4.4 release, so I can upgrade safely without loosing all the mods. Will it be sufficient, if I only apply the hotfix above ? Thanks
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Paver on February 28, 2006, 12:25:31 am
Other files were modified to incorporate bug fixes listed on the bugs board.  The documentation was also improved, notably with a more complete plugin section.

Download version 1.4.4 and you can do a "diff" with your current files to see the differences.  Or set up CVS on your computer so you can do updates with the Coppermine CVS: http://sourceforge.net/cvs/?group_id=89658 (http://sourceforge.net/cvs/?group_id=89658).
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: lordprodigy on February 28, 2006, 12:38:07 am
Thanks. will do that. But in the meantime the hotfix should be ok, right?
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Paver on February 28, 2006, 01:32:38 am
Yes, the hotfix described in this thread takes care of the only critical bug that must be fixed.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Goosemoose on March 01, 2006, 12:31:42 am
I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...

RSS already exists in all SMF forums, though you can't narrow down which forum to see. I added the feed to my google home page.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: rbess on March 01, 2006, 06:48:58 am
Have a question related to this situation. I performed the update recommended by my server by using Fantasico. This of course caused my settings to change and not allow an unregistered user to view my album. Clicking on the allow button would not work because the settings would not save, so I got on here to look for the answer. I saw your manual installation of the code and did that, which got my album back to public, however now I can not login on the admin page anymore. It appears that my login and password are gone or it's not looking for it in the right place. So which file does that code live? Can I go back into that file and add my info without to much pain?

Thanks.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Paver on March 01, 2006, 07:33:09 am
@rbess: You posted your support question on the upgrade board where it belongs.  Please do not double-post.  If you think your issues are related to this fix, reference it on your original post; don't post in both places.

At first glance, I cannot see how your problems are related to the fix described in this thread.  Regardless, please keep your support question in the appropriate thread so it can be tracked and resolved in an organized manner.
Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: kuest on March 01, 2006, 11:09:24 pm
Some lines above from the vulnerable point I find this:
"// Process theme selection if present in URI or in user profile
if (!empty($HTTP_GET_VARS['theme'])) {
    $USER['theme'] = $HTTP_GET_VARS['theme'];"

isnt this the same problem of overtaking unproved "_GET[]".??

Title: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Joachim Müller on March 03, 2006, 08:50:06 pm
as this seems to cause confusion for some users: the fix mentioned in this thread has gone into cpg1.4.4. However, applying this patch to a cpg1.4.3 install doesn't make it a cpg1.4.4 gallery. There are a lot of other minor bug fixes has gone into cpg1.4.4 as well.
Users should not only apply this patch, but actually upgrade to cpg1.4.4 as suggested in the upgrade section of the docs that come with the new package.
Title: MOVED: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
Post by: Joachim Müller on March 15, 2006, 07:18:40 pm
Split unrelated reply to this announcement thread into a separate thread  cpg1.4 upgrading (http://forum.coppermine-gallery.net/index.php?board=59).

http://forum.coppermine-gallery.net/index.php?topic=29192.0 (http://forum.coppermine-gallery.net/index.php?topic=29192.0)



From now on, all unrelated replies and individual support requests to this thread will get deleted without further notice, the posters will be banned for a week >:(.