Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Patch for Coppermine 1.4.3 remote code execution - Update NOW!  (Read 122687 times)

0 Members and 1 Guest are viewing this topic.

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« on: February 18, 2006, 01:41:45 pm »

A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.

To manually patch your install open the file include/init.inc.php find the line
Code: [Select]
$USER['lang'] = $_GET['lang'];  This is around line 301 and replace it with the line below
Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
next open the file docs/showdocs.php find the line
Code: [Select]
@include($file);
This is around line 51 and replace it with the line below
Code: [Select]
@include('index.htm');

Thats it! If editing code is not your cup of tea then use the files in the zip attached

Thanks to  rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this

Once again - this is a nasty one - PATCH NOW! or be OWNED!!

[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"
[/edit]
« Last Edit: April 21, 2006, 09:11:08 am by GauGau »
Logged
SANIsoft PHP applications for E Biz

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #1 on: February 18, 2006, 07:49:54 pm »

Thank you Tarique, Amit, and Abbas. :)

I tried using CVS to do the update but the changes weren't there so I have committed the changes.
Logged

no1wammy

  • Coppermine newbie
  • Offline Offline
  • Posts: 8
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #2 on: February 21, 2006, 10:33:10 pm »

Patch applied. And I was just about to bridge my two forums, too.

Code: [Select]
$USER['lang'] = $_GET['lang'];
Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
Code: [Select]
@include($file);
Code: [Select]
@include('index.htm');
Would you please explain what these four codes do, and how they related to the remote code execution flaw?
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #3 on: February 22, 2006, 07:37:40 am »

It is generally best to avoid giving a "how to" on security issues.  If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.
Logged

fredag

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #4 on: February 22, 2006, 11:00:38 am »

On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".

Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.

Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.

As Tarique described it: "This is a nasty one".


-fredag
« Last Edit: February 22, 2006, 11:08:10 am by fredag@oien.net »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #5 on: February 22, 2006, 11:13:01 am »

1) cpg1.3.x isn't affected by the vulnerability as far as I can tell
2) we're currently working on a maintenance release
Logged

Tarique Sani

  • VIP
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 2712
    • http://tariquesani.net
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #6 on: February 22, 2006, 11:30:00 am »

@freedag: Given the fact that only two files need to be replaced asking people to reinstall everything is being a plain PIA - for those who cannot patch a zip with correct files was provided...

While I agree that the website front page should be updated ASAP the points mentioned by Gaugau stand.

@Gaugau - time we declared 1.3.x as unsupported and removed all those downloads - Upgrade or perish!
Logged
SANIsoft PHP applications for E Biz

Nibbler

  • Guest
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #7 on: February 22, 2006, 02:29:52 pm »

It's the same fix for 1.3, which is vulnerable.

find

Code: [Select]
$USER['lang'] = $HTTP_GET_VARS['lang'];
replace with

Code: [Select]
$USER['lang'] = ereg("^[a-z0-9_-]*$", $HTTP_GET_VARS['lang']) ? $HTTP_GET_VARS['lang'] : $CONFIG['lang'];
Logged

SpearCreations

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #8 on: February 22, 2006, 03:59:29 pm »

I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D
Logged

SpearCreations

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #9 on: February 22, 2006, 04:04:24 pm »

I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D and if i do have to add the patch where do i exactly put it...keep in mind im computer stupid at this point but i did manage to get it up and running lastnight :)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #10 on: February 22, 2006, 04:05:07 pm »

yes, you have to apply the patch as well. Right now we're preparing a cpg1.4.4 maintenance release that will include the fix.
CPG1.4.3 or older doesn't contain the fix, you have to apply it manually.
Logged

SpearCreations

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #11 on: February 22, 2006, 04:40:34 pm »

ughhhhh i just new your were going to szay that...im not very good at php...and do i also have to download the maintaince as well.???..I assumed that the 1.43 was stable..and had all the upgrades thanks for your help!
« Last Edit: February 22, 2006, 04:46:19 pm by SpearCreations »
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #12 on: February 22, 2006, 04:46:26 pm »

If you know how to make a backup copy of the file (for just in case), and edit text in wordpad or notepad, you can do it.

Or you can download the attachment that contains the files in the first post.
Logged

SpearCreations

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #13 on: February 22, 2006, 04:54:57 pm »

well see i took a basic html course and opened up crimson editor search found and saved what i needed...now i just need to up load these new files to my website. plus i had my hubby stand behind me while i was doing it lol hes a computer tech person he can write java but not php... thanks for all your help  :)
Logged

Fotomaf

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 30
  • www.fotomaf.com gallery
    • Fotomaf Gallery
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #14 on: February 22, 2006, 05:51:04 pm »

Applied!

thanks!

solarian

  • Guest
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #15 on: February 25, 2006, 06:07:12 pm »

I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...
Logged

Nibbler

  • Guest
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #16 on: February 25, 2006, 06:08:01 pm »

RSS feed is planned.
Logged

Fabrian

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 126
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #17 on: February 26, 2006, 02:40:44 am »

has anyone noticed a slower load time?  I can't tell if it's the patch or my isp..
Logged

Nibbler

  • Guest
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #18 on: February 26, 2006, 03:59:34 am »

Any slowdown caused by the patch would be insignificant.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #19 on: February 26, 2006, 01:51:39 pm »

New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"
Logged
Pages: [1] 2   Go Up
 

Page created in 0.029 seconds with 20 queries.