Patch for Coppermine 1.4.3 remote code execution

No Support > Announcements

Patch for Coppermine 1.4.3 remote code execution - Update NOW!

(1/6) > >>

Tarique Sani:
A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.

To manually patch your install open the file include/init.inc.php find the line

--- Code: ---$USER['lang'] = $_GET['lang'];
--- End code ---
This is around line 301 and replace it with the line below

--- Code: ---$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
--- End code ---

next open the file docs/showdocs.php find the line

--- Code: ---@include($file);

--- End code ---
This is around line 51 and replace it with the line below

--- Code: ---@include('index.htm');

--- End code ---

Thats it! If editing code is not your cup of tea then use the files in the zip attached

Thanks to rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this

Once again - this is a nasty one - PATCH NOW! or be OWNED!!

[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"
[/edit]

Tranz:
Thank you Tarique, Amit, and Abbas. :)

I tried using CVS to do the update but the changes weren't there so I have committed the changes.

no1wammy:
Patch applied. And I was just about to bridge my two forums, too.

--- Code: ---$USER['lang'] = $_GET['lang'];
--- End code ---

--- Code: ---$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
--- End code ---

--- Code: ---@include($file);
--- End code ---

--- Code: ---@include('index.htm');
--- End code ---

Would you please explain what these four codes do, and how they related to the remote code execution flaw?

Paver:
It is generally best to avoid giving a "how to" on security issues. If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.

fredag:
On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".

Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.

Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.

As Tarique described it: "This is a nasty one".

-fredag

Navigation

[0] Message Index

[#] Next page

Go to full version