forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Joachim Müller on May 19, 2006, 09:28:04 pm

Title: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Joachim Müller on May 19, 2006, 09:28:04 pm
The Coppermine dev team announces the release of cpg1.4.6.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. It takes care as well of the ".rar"-exploit (http://forum.coppermine-gallery.net/index.php?topic=31534.0) (that actually isn't a Coppermine bug, but a badly implemented feature of the Apache webserver that needed fixing). All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).

The new package contains all language files that existed up till now (compared to cpg1.4.5, a few new language files have been added).

Get the new release cpg1.4.6 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.6.zip?download

As suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc.php with a plain-text editor, find
Code: [Select]
function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;

  return str_replace($forbidden_chars[0], '_', $str);
}
and replace with
Code: [Select]
function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;
  $return = str_replace($forbidden_chars[0], '_', $str);

  /**
  * Fix the obscure, misdocumented "feature" in Apache that causes the server
  * to process the last "valid" extension in the filename (rar exploit): replace all
  * dots in the filename except the last one with an underscore.
  */
  // This could be concatenated into a more efficient string later, keeping it in three
  // lines for better readability for now.
  $extension = ltrim(substr($return,strrpos($return,'.')),'.');
  $filenameWithoutExtension = str_replace('.' . $extension, '', $return);
  $return = str_replace('.', '_', $filenameWithoutExtension) . '.' . $extension;

  return $return;
}

The maintenance release cpg1.4.6 of course contains all previous fixes of the 1.4-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading (http://forum.coppermine-gallery.net/index.php?board=59.0) sub-board (after having read the docs (http://coppermine-gallery.net/demo/cpg14x/docs/index.htm) and after having search (http://forum.coppermine-gallery.net/index.php?action=search)ed the board).

Joachim
- Coppermine project manager -
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Joachim Müller on May 19, 2006, 09:42:36 pm
This might not be obvious to everybody: the maintenance release and hotfix will not cure infected webspace (i.e. pages that have fallen victim to the xxx.php.rar exploit). It will only keep sites that haven't been hit by the attack so far from being vulnerable.
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Joachim Müller on May 20, 2006, 06:08:48 am
I removed a reply to this thread for the same reason I posted in my edit at the top of "    
Patch file from 1.4.4 to 1.4.5 for modified by MODs sites  (http://forum.coppermine-gallery.net/index.php?topic=30655.msg141914#msg141914)". Start a thread of your own, and don't make your reply stand out unnecesarily. The method descibed in your posting is not meant for everybody, only for very advanced users. Those advanced users should be capable to follow your instructions in the thread mentioned above.
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: pacimir on May 23, 2006, 09:48:09 pm
What about 1.3.5 ?
Is there fix for it ?
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Joachim Müller on May 24, 2006, 12:44:13 am
yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: birddog on June 06, 2006, 12:17:23 pm
 Thank you GauGau for update.
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: jon_miner on June 09, 2006, 10:23:19 pm
yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.

1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

jon
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Paver on June 09, 2006, 11:27:43 pm
1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

Let's try some understanding.  I think it's clear from Joachim's post that he assumed the hotfix works for 1.3.x.  This is a mistaken assumption, but that's all it is: a mistake.

So let's move on and address your report that the hotfix is not applicable to 1.3.x since there is no function replace_forbidden().  I am looking into writing a hotfix now.  It will be slightly more complicated than the 1.4.x fix.  We need to move this discussion to the cpg1.3 board.  I don't think there's a thread over there now.  I'll post once I have written the hotfix with a link here.

edit: Instead of "now", let's say "today or tomorrow".  There are about a dozen or so forbidden-character replacements in 5 scripts for 1.3.5.  Now I see why a separate function is useful.  I'm thinking adding the function and then replacing those 5 references to function calls is probably the best way to go (and easiest to write up as a hotfix).
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Joachim Müller on June 10, 2006, 10:39:59 am
The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?
As Paver suggested: there apparently is no hotfix for cpg1.3.x available yet. I'm glad he volunteered to come up with one.
Please keep in mind though that support for cpg1.3.x is running out pretty soon. All who run cpg1.3.x should seriously consider upgrading now.
I find it rude though to reply with cpg1.3.x issues on a thread that is clearly labelled cpg1.4.x-only, with a clear statement in the initial announcement not to post unrelated things, as you're making this thread useless for the users it was intended for (the vast majority of coppermine users is already running cpg1.4.x).
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Paver on June 11, 2006, 07:07:23 am
The HOTFIX for Coppermine 1.3.x is available here:
http://forum.coppermine-gallery.net/index.php?topic=32537.0 (http://forum.coppermine-gallery.net/index.php?topic=32537.0)

If you have any questions at all, support or otherwise, reply to that post, *not* here.
Title: Re: Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability
Post by: Xerom on November 06, 2009, 05:06:12 am
This has been fixed by coppermine, however if you want to know how to deny execution of scripts in any folder, you can create a .htaccess file and place it into the folder then add the following to it:

RemoveHandler cgi-script .pl .py .jsp .asp .htm .shtml .sh .cgi .php
RemoveHandler php5-script .php

Instead of executing the script it just displays the script code as text in the browser

As a precaution I placed this in /albums/userpics/.htaccess and /albums/edit/.htaccess seems to have solved my problem and peace of mind.