Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

[Joachim Müller]

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:

• users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
• users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
  Code:
      if (isset($exif) && is_array($exif)) {
  and replace with
  Code:
      if (isset($exif) && is_array($exif)) {
          //Sanitize the data - to fix the XSS vulnerability - Aditya
          foreach ($exif as $key=>$data) {
            $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
          }
  Next, find
  
  Code:
  if (isset($iptc) && is_array($iptc)) {
          if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
          if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
          if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
          if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
          if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
      }
  and replace with
  
  Code:
  if (isset($iptc) && is_array($iptc)) {
          //Sanitize the data - to fix the XSS vulnerability - Aditya
          foreach ($iptc as $key=>$data) {
            $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
          }
          if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
          if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
          if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
          if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
          if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
      }
  
  .
   Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  
• users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
• users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable

I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]

[pirx]

Hi,

I replaced displayimage.php with the attached version. Now I get the following error messages:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

Ralf

[Tarique Sani]

Had you enabled IPTC info before applying the above file - the line numbers you are saying are not the ones that were changed

[edit]
Yes - you are right bug is a side effect of the security fix
[/]edit]

[pirx]

Hi,

the new displayimage.php fixed the problem. Thank you!

Ralf

[stock]

Just wanted to check you mean the yellow band that kept coming up with pic info on it? I did wonder and was going to ask, but now this seem to have cured it thanks.

Stock

[vuud]

Hi,

First off thanks for the work in releasing a security fix!

Second, how does it affect the beta 1.4?

Thanks

Vuud

[kegobeer]

Grab the latest files from the CVS and you'll be good to go.

[vuud]

Grab the latest files from the CVS and you'll be good to go.

Okay! 

Thanks

[TranzNDance]

If someone does not allow other people to upload files, would this keep the gallery from being vulnerable to this?

[autumn_whispers2me]

I'm running XP and am used to 2000 prof.  XP doesn't seem to allow extension changes, so how would I change the file from .txt to .php ?  Thanks. 

[kegobeer]

Tools - folder options - view - hide extensions for known file types.  Rename away.

[Joachim Müller]

I have just released the new package cpg1.3.4 that contains above mentioned fix - see the very first posting in this thread.

[maolu]

[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware.
I tested on several machines and since this thing started this morning (italian time) i suppose it's related to this bug, but even if i upload the new coppermine version (1.3.4) the problem still remains.

I have to say the problem appears ONLY in Coppermine's pages and you can find it here (if you dare...) www.maolu.it/gallery

Could this be related to the XSS vulnerability?

A kind thanks for your work

[maolu]

OK solved...

i wasn't able to see the changings 'cause of my workingplace's proxy.

Excuseme everybody
 

[canelli]

Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware

I'm visiting your gallery and no strange action take place.  You are not using exiff data in your picture. so your problems are not related with tihs bug.  Check your PC, clear the bowser cache, and try again

claudio

[Joachim Müller]

maolu has already resolved the issues he/she experienced: it wasn't coppermine acting up, but improper proxy settings. The whole issue is not related to the XSS vulnerability nor the fix, so I'm marking the postings that deal with it as "invalid".

@all: please do only reply to announcement threads like this one if you have something to say that everyone could benefit from (e.g. a broken link or similar). Individual issues you might consider to be related to XSS vulnerabilities should not go into this thread - start a new thread instead on the support board. Help us to keep announcement threads clean and focused on the issues they deal with. If announcement threads drift to much or contain irrelevant information, other users might miss important stuff because of the "background noise". We had to lock most announcement threads soon after they were started because people replied with irrelevant issues. Try not to mess with this thread as well, it'd be a pity if we had to lock it as we had to in the past.

[odie3]

Question:

This file [displayimage.php] makes a Coppermine install 1.3.3 into 1.3.4?  Or should 1.3.3 users download 1.3.4 release and upgrade?  I hope this reply is okay in this thread, if not sorry.

[Joachim Müller]

• users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.

[odie3]

Yes I read that but I guess what I really wanted to know if I should update my Coppermine to version 1.3.4 [which I assume is stored in the DB].

[Nibbler]

You don't need to do anything with your database. The version number is stored in include/init.inc.php