No Support > Announcements

Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability

(1/3) > >>

Joachim Müller:
The Coppermine dev team announces the release of cpg1.4.6.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. It takes care as well of the ".rar"-exploit (that actually isn't a Coppermine bug, but a badly implemented feature of the Apache webserver that needed fixing). All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).

The new package contains all language files that existed up till now (compared to cpg1.4.5, a few new language files have been added).

Get the new release cpg1.4.6 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.6.zip?download

As suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc.php with a plain-text editor, find
--- Code: ---function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;

  return str_replace($forbidden_chars[0], '_', $str);
}
--- End code ---
and replace with
--- Code: ---function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;
  $return = str_replace($forbidden_chars[0], '_', $str);

  /**
  * Fix the obscure, misdocumented "feature" in Apache that causes the server
  * to process the last "valid" extension in the filename (rar exploit): replace all
  * dots in the filename except the last one with an underscore.
  */
  // This could be concatenated into a more efficient string later, keeping it in three
  // lines for better readability for now.
  $extension = ltrim(substr($return,strrpos($return,'.')),'.');
  $filenameWithoutExtension = str_replace('.' . $extension, '', $return);
  $return = str_replace('.', '_', $filenameWithoutExtension) . '.' . $extension;

  return $return;
}
--- End code ---

The maintenance release cpg1.4.6 of course contains all previous fixes of the 1.4-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim
- Coppermine project manager -

Joachim Müller:
This might not be obvious to everybody: the maintenance release and hotfix will not cure infected webspace (i.e. pages that have fallen victim to the xxx.php.rar exploit). It will only keep sites that haven't been hit by the attack so far from being vulnerable.

Joachim Müller:
I removed a reply to this thread for the same reason I posted in my edit at the top of "    
Patch file from 1.4.4 to 1.4.5 for modified by MODs sites ". Start a thread of your own, and don't make your reply stand out unnecesarily. The method descibed in your posting is not meant for everybody, only for very advanced users. Those advanced users should be capable to follow your instructions in the thread mentioned above.

pacimir:
What about 1.3.5 ?
Is there fix for it ?

Joachim Müller:
yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.

Navigation

[0] Message Index

[#] Next page

Go to full version