Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2 3   Go Down

Author Topic: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*  (Read 181514 times)

0 Members and 1 Guest are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  • users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
    Code: [Select]
        if (isset($exif) && is_array($exif)) {and replace with
    Code: [Select]
        if (isset($exif) && is_array($exif)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($exif as $key=>$data) {
              $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
    Next, find
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    and replace with
    Code: [Select]
    if (isset($iptc) && is_array($iptc)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($iptc as $key=>$data) {
              $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    .
     Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  • users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  • users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]

« Last Edit: September 25, 2005, 12:40:11 pm by GauGau »
Logged

pirx

  • Coppermine newbie
  • Offline Offline
  • Posts: 10
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #1 on: August 19, 2005, 11:02:40 am »

Hi,

I replaced displayimage.php with the attached version. Now I get the following error messages:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

Ralf
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #2 on: August 19, 2005, 11:39:47 am »

Had you enabled IPTC info before applying the above file - the line numbers you are saying are not the ones that were changed

[edit]
Yes - you are right bug is a side effect of the security fix :(
[/]edit]
« Last Edit: August 19, 2005, 11:47:32 am by Tarique Sani »
Logged
SANIsoft PHP applications for E Biz

pirx

  • Coppermine newbie
  • Offline Offline
  • Posts: 10
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #3 on: August 19, 2005, 12:43:25 pm »

Hi,

the new displayimage.php fixed the problem. Thank you!

Ralf
Logged

stock

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 109
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #4 on: August 19, 2005, 12:56:30 pm »

Just wanted to check you mean the yellow band that kept coming up with pic info on it? I did wonder and was going to ask, but now this seem to have cured it thanks.

Stock
Logged

vuud

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1803
  • [cpmfetch.fistfullofcode.com]
    • Fist Full Of Code
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #5 on: August 21, 2005, 07:56:45 pm »


Hi,

First off thanks for the work in releasing a security fix!

Second, how does it affect the beta 1.4?

Thanks

Vuud
Logged
Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #6 on: August 21, 2005, 09:32:36 pm »

Grab the latest files from the CVS and you'll be good to go.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

vuud

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1803
  • [cpmfetch.fistfullofcode.com]
    • Fist Full Of Code
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #7 on: August 21, 2005, 09:40:55 pm »

Grab the latest files from the CVS and you'll be good to go.

Okay! 

Thanks
Logged
Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #8 on: August 21, 2005, 10:30:11 pm »

If someone does not allow other people to upload files, would this keep the gallery from being vulnerable to this?
Logged

autumn_whispers2me

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Female
  • Posts: 27
    • Autumn Whispers to Me
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #9 on: August 22, 2005, 12:21:46 am »

I'm running XP and am used to 2000 prof.  XP doesn't seem to allow extension changes, so how would I change the file from .txt to .php ?  Thanks.  :)
Logged
Come to the dark side.  We've got cookies!  :D
(http://www.autumnwhisperstome.com/sigs/awtmmedievalsig.jpg)

kegobeer

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 4637
  • Beer - it does a body good!
    • The Kazebeer Family Website
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #10 on: August 22, 2005, 12:35:25 am »

Tools - folder options - view - hide extensions for known file types.  Rename away.
Logged
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #11 on: August 22, 2005, 07:51:51 am »

I have just released the new package cpg1.3.4 that contains above mentioned fix - see the very first posting in this thread.
Logged

maolu

  • Coppermine newbie
  • Offline Offline
  • Posts: 19
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #12 on: August 22, 2005, 12:42:52 pm »

[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware.
I tested on several machines and since this thing started this morning (italian time) i suppose it's related to this bug, but even if i upload the new coppermine version (1.3.4) the problem still remains.

I have to say the problem appears ONLY in Coppermine's pages and you can find it here (if you dare...) www.maolu.it/gallery

Could this be related to the XSS vulnerability?

A kind thanks for your work
« Last Edit: August 22, 2005, 05:59:40 pm by GauGau »
Logged

maolu

  • Coppermine newbie
  • Offline Offline
  • Posts: 19
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #13 on: August 22, 2005, 12:43:39 pm »

OK solved...

i wasn't able to see the changings 'cause of my workingplace's proxy.

Excuseme everybody
 :-[
« Last Edit: August 22, 2005, 06:00:00 pm by GauGau »
Logged

canelli

  • Translator
  • Coppermine novice
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 36
  • Fetched by CpmFetch
    • Centro Vela Dervio Sailing club
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #14 on: August 22, 2005, 04:23:04 pm »

Quote
Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware

I'm visiting your gallery and no strange action take place.  You are not using exiff data in your picture. so your problems are not related with tihs bug.  Check your PC, clear the bowser cache, and try again

claudio
« Last Edit: August 22, 2005, 06:00:14 pm by GauGau »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #15 on: August 22, 2005, 05:59:23 pm »

maolu has already resolved the issues he/she experienced: it wasn't coppermine acting up, but improper proxy settings. The whole issue is not related to the XSS vulnerability nor the fix, so I'm marking the postings that deal with it as "invalid".

@all: please do only reply to announcement threads like this one if you have something to say that everyone could benefit from (e.g. a broken link or similar). Individual issues you might consider to be related to XSS vulnerabilities should not go into this thread - start a new thread instead on the support board. Help us to keep announcement threads clean and focused on the issues they deal with. If announcement threads drift to much or contain irrelevant information, other users might miss important stuff because of the "background noise". We had to lock most announcement threads soon after they were started because people replied with irrelevant issues. Try not to mess with this thread as well, it'd be a pity if we had to lock it as we had to in the past.
Logged

odie3

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 41
  • Ghost Dogs Admin
    • Ghost Dogs HQ
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #16 on: August 22, 2005, 07:33:26 pm »

Question:

This file [displayimage.php] makes a Coppermine install 1.3.3 into 1.3.4?  Or should 1.3.3 users download 1.3.4 release and upgrade?  I hope this reply is okay in this thread, if not sorry.
Logged
Odie3

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #17 on: August 22, 2005, 07:59:17 pm »

  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
Logged

odie3

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 41
  • Ghost Dogs Admin
    • Ghost Dogs HQ
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #18 on: August 22, 2005, 08:02:05 pm »

Yes I read that but I guess what I really wanted to know if I should update my Coppermine to version 1.3.4 [which I assume is stored in the DB].
Logged
Odie3

Nibbler

  • Guest
Re: Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
« Reply #19 on: August 22, 2005, 08:23:35 pm »

You don't need to do anything with your database. The version number is stored in include/init.inc.php
Logged
Pages: [1] 2 3   Go Up
 

Page created in 0.038 seconds with 20 queries.