Print

[adipisicing]

I understand that it is important to upgrade to version 1.4.15 immediately.

That said, are there any plans to detail the vulnerabilities in 1.4.14, the situations in which they could be exploited, and what abilities an attacker would have by exploiting them?

If not, would you like me to write such a thing? I'm currently diffing the files to try to figure out what's changed.

I was unable to find a vulnerability disclosure policy for Coppermine, so I'm not sure if or for how long you want details of vulnerabilities to remain unreleased. I won't post any details here unless I have your permission.

Thank you!

[Makc666]

========================
MAKE A BACK UP OF YOUR GALLERY
TRY TO PATCH FIRST TIME IN A TEMPORARY FOLDER

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
How I make patch file?
I unpack cpg1.4.14.zip and cpg1.4.15.zip archives
to cpg1414 and cpg1415 folders.

Then before patching I remove dirs

• /cpg1414/lang/
• /cpg1415/lang/
• /cpg1414/docs/
• /cpg1415/docs/

and some other document files from root folder

• /cpg1415/CHANGELOG
• /cpg1415/COPYING
• /cpg1415/README.txt

as those files can be replaced wit a new one with out any harm and I don't recommend them to be patched.

========================
Step 2.
Second I run in directory where cpg1414 and cpg1415 folders are:
diff -crbBN cpg1414 cpg1415 >cpg-1.4.14_to_1.4.15.patch

and get file:
cpg-1.4.14_to_1.4.15.patch

========================
IMPORTANT!
Open file cpg-1.4.14_to_1.4.15.patch
And delete all lines:
\ No newline at end of file

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-old-cpg1414

P.S. If you keep "albums" folder inside "coppermine" folder, for example "/coppermine/albums/",
you can move "albums" folder to some SAVE place before making a copy of "coppermine" folder.
Or just make a copy of "/coppermine/" folder with out "/coppermine/albums/" folder as I do.

========================
Step 4.
Also you must have these files in your coppermine directory.

• /coppermine/install.php
• /coppermine/update.php
• /coppermine/upgrade-1.0-to-1.2.php

I make so to avoid a lot of patch errors.

You can take them from cpg1.4.14.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.14.zip?download

========================
Step 5.
Put your patch file into:
/coppermine/cpg-1.4.14_to_1.4.15.patch

========================
Step 6.
Run in /coppermine/ folder
patch -cl -d ./ -p1 < ./cpg-1.4.14_to_1.4.15.patch

You will see all results on your screen.
So make your Scroll Buffer big enough.
It will be a lot of lines, better make it about 5000.
From 1.4.14 to 1.4.15 I have around 1526 lines.

========================
Step 7.
Update your dirs

• /coppermine/lang/
• /coppermine/docs/

with necessary files.

For example I use only "english.php", "german.php", "russian.php" files/languages.

You can get them in cpg1.4.15.zip:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.15.zip?download

###########################
###!!! READ THIS ONE !!!###
###!!!   IMPORTANT   !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
and
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there was no problems with patching of that part of code.
Word "failed" means there was some problem(s).

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
(below for example it is "zipdownload.php.rej")
and look what the patch was not able to change and fix that manually.

Word "done" means that patch go throw all changes in "cpg-1.4.14_to_1.4.15.patch" file.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.

If the file install.php exists in the root directory, delete it. When performing an upgrade, it is not needed.

Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php).
This will update your coppermine install by making all necessary changes in the database.

Taken from:
3.5 Upgrading from cpg1.4.0 or better to version cpg1.4.15
http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#14

========================
That it!
(c) Makc666

[adipisicing]

While your post would be quite useful to anyone attempting to update a modded Coppermine install, it doesn't really address my question at all. I'm trying to get more details on the vulnerabilities in 1.4.14.

Specifically, for each of the vulnerabilities listed in http://forum.coppermine-gallery.net/index.php?topic=50103.0 , I'd like to know:

• Who can exploit the vulnerability? The general public? Those with accounts in my gallery? Those with specific priviledges in my gallery? Gallery admins?
• What can someone who exploits the vulnerability do? See gallery content beyond their access rights? Read or write to the MySQL database? Read or write to the filesystem? Execute arbitrary shell commands?
  
• Under what configurations is the vulnerability exposed?

At this point, I've been able to figure some of this out for myself, but I don't want to post details until one of the devs gives me an OK, because I don't know CPG's stance on vulnerability disclosures.

[Nibbler]

Added code to fix the shell injection security issue reported by Janek Vind via email and discussed in topic 48930

That's exploitable by people who can rotate an image, ie. registered users with upload rights. Only affects galleries using ImageMagick. Can be mitigated by restricting upload rights/membership to trusted individuals (or using GD2).

Added code to remove 2 security issues reported by Janek Vind via email and discussed in topic 48890

That's an XSS in the documentation and a path disclosure in include/slideshow.inc.php (displays a PHP fatal error message when accessed directly that provides path information). Both exploitable by anyone. Can be mitigated by deleting the docs folder and disabling error reporting in php.ini respectively.

Note that taking the steps suggested as mitigation is not an alternative to updating your gallery.

[adipisicing]

Thank you so much, Nibbler! That's exactly what I was looking for!

Note that taking the steps suggested as mitigation is not an alternative to updating your gallery.

Understood.

[adipisicing]

Also, might I suggest that Makc666's post be broken out into its own thread? I'm sure many people would find it useful.

[Makc666]

That's exploitable by people who can rotate an image, ie. registered users with upload rights. Only affects galleries using ImageMagick. Can be mitigated by restricting upload rights/membership to trusted individuals (or using GD2).

After upgrading from 1.4.14 to 1.4.15 ImageMagick doesn't work for me any more...
Moved here -> http://forum.coppermine-gallery.net/index.php?topic=50183.0

[Joachim Müller]

I rather suggest that Makc666 stops posting his (well-meant) instructions how to manually upgrade. If we think that manual fixes should be published, we do so. If we think that this should not be done, then we don't post such instructions with the announcement.

[Makc666]

If we think that manual fixes should be published, we do so. If we think that this should not be done, then we don't post such instructions with the announcement.

This is no manual fixes.
This is just the changes from 1.4.14 to 1.4.15
Every one can compare 1.4.14 with 1.4.15 but not every one knows how to. And if people have many mods installed that one I posted will help them to learn how they can easely update their galleries.

[jesusarmy]

For example, phpBB releases a variety of methods of updating, including patch files, which I have found incredibly useful for updating while retaining the mods I had made. It would be extremely helpful if Coppermine did the same thing.

If the administrators really want to discourage modding, then they ought to close the mods section of this forum. 

[Joachim Müller]

99% of everything people ever have requested can be accomplished by theming and plugins. So yes, I would like discourage you (and everyone else) from modding if there are other, more elegant methods to accomplish what you're up to.