Patch for Coppermine 1.4.3 remote code execution - Update NOW!

[Tarique Sani]

A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.

To manually patch your install open the file include/init.inc.php find the line

Code:

$USER['lang'] = $_GET['lang']; 

This is around line 301 and replace it with the line below

Code:

$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];

next open the file docs/showdocs.php find the line

Code:

@include($file);

This is around line 51 and replace it with the line below

Code:

@include('index.htm');

Thats it! If editing code is not your cup of tea then use the files in the zip attached

Thanks to  rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this

Once again - this is a nasty one - PATCH NOW! or be OWNED!!

[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"
[/edit]

[TranzNDance]

Thank you Tarique, Amit, and Abbas.

I tried using CVS to do the update but the changes weren't there so I have committed the changes.

[no1wammy]

Patch applied. And I was just about to bridge my two forums, too.

Code:

$USER['lang'] = $_GET['lang'];

Code:

$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];

Code:

@include($file);

Code:

@include('index.htm');

Would you please explain what these four codes do, and how they related to the remote code execution flaw?

[Paver]

It is generally best to avoid giving a "how to" on security issues.  If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.

[fredag]

On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".

Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.

Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.

As Tarique described it: "This is a nasty one".


-fredag

[Joachim Müller]

1) cpg1.3.x isn't affected by the vulnerability as far as I can tell
2) we're currently working on a maintenance release

[Tarique Sani]

@freedag: Given the fact that only two files need to be replaced asking people to reinstall everything is being a plain PIA - for those who cannot patch a zip with correct files was provided...

While I agree that the website front page should be updated ASAP the points mentioned by Gaugau stand.

@Gaugau - time we declared 1.3.x as unsupported and removed all those downloads - Upgrade or perish!

[Nibbler]

It's the same fix for 1.3, which is vulnerable.

find

Code:

$USER['lang'] = $HTTP_GET_VARS['lang'];

replace with

Code:

$USER['lang'] = ereg("^[a-z0-9_-]*$", $HTTP_GET_VARS['lang']) ? $HTTP_GET_VARS['lang'] : $CONFIG['lang'];

[SpearCreations]

I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly 

[SpearCreations]

I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  and if i do have to add the patch where do i exactly put it...keep in mind im computer stupid at this point but i did manage to get it up and running lastnight

[Joachim Müller]

yes, you have to apply the patch as well. Right now we're preparing a cpg1.4.4 maintenance release that will include the fix.
CPG1.4.3 or older doesn't contain the fix, you have to apply it manually.

[SpearCreations]

ughhhhh i just new your were going to szay that...im not very good at php...and do i also have to download the maintaince as well...I assumed that the 1.43 was stable..and had all the upgrades thanks for your help!

[TranzNDance]

If you know how to make a backup copy of the file (for just in case), and edit text in wordpad or notepad, you can do it.

Or you can download the attachment that contains the files in the first post.

[SpearCreations]

well see i took a basic html course and opened up crimson editor search found and saved what i needed...now i just need to up load these new files to my website. plus i had my hubby stand behind me while i was doing it lol hes a computer tech person he can write java but not php... thanks for all your help 

[Fotomaf]

Applied!

thanks!

[solarian]

I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...

[Nibbler]

RSS feed is planned.

[Fabrian]

has anyone noticed a slower load time?  I can't tell if it's the patch or my isp..

[Nibbler]

Any slowdown caused by the patch would be insignificant.

[Joachim Müller]

New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"