No Support > Announcements

Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

(1/11) > >>

Joachim Müller:
A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
[*]users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
[*]users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
--- Code: ---    if (isset($exif) && is_array($exif)) {
--- End code ---
and replace with
--- Code: ---    if (isset($exif) && is_array($exif)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($exif as $key=>$data) {
          $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
--- End code ---
Next, find

--- Code: ---if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }
--- End code ---
and replace with

--- Code: ---if (isset($iptc) && is_array($iptc)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($iptc as $key=>$data) {
          $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }

--- End code ---
.
 Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
[*]users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
[*]users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable[/list]

I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]

pirx:
Hi,

I replaced displayimage.php with the attached version. Now I get the following error messages:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

Ralf

Tarique Sani:
Had you enabled IPTC info before applying the above file - the line numbers you are saying are not the ones that were changed

[edit]
Yes - you are right bug is a side effect of the security fix :(
[/]edit]

pirx:
Hi,

the new displayimage.php fixed the problem. Thank you!

Ralf

stock:
Just wanted to check you mean the yellow band that kept coming up with pic info on it? I did wonder and was going to ask, but now this seem to have cured it thanks.

Stock

Navigation

[0] Message Index

[#] Next page

Go to full version