Maintenance release: cpg1.3.5 fixes XSS vulnerability *MUST READ* Maintenance release: cpg1.3.5 fixes XSS vulnerability *MUST READ*
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Maintenance release: cpg1.3.5 fixes XSS vulnerability *MUST READ*

Started by Joachim Müller, September 25, 2005, 12:49:37 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

A XSS vulnerability has been found in the language selector. Everybody who runs coppermine (any version older than cpg1.3.5) will have to apply this security fix as soon as possible.

We have released a brand new package of the stable branch (cpg1.3.x) named "cpg1.3.5" that contains the above mentioned fix, plus some fixes of minor issues:
Download cpg1.3.5.
The vulnerability existed in the devel code (cpg1.4.x) as well, that's why users who are testing the devel version are strongly encouraged to update their version as well (doing a CVS checkout).




Experienced users who don't want to do the upgrade (because their coppermine install is heavily modified) can apply the fix manually as well (instead of doing the recommended upgrade to cpg1.3.5).

Instructions for manual fix:
In init.inc.php:

Replace

$HTML_SUBST = array('"' => '&quot;', '<' => '&lt;', '>' => '&gt;');


with

$HTML_SUBST = array('&' => '&amp;', '"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '%26' => '&amp;', '%22' => '&quot;', '%3C' => '&lt;', '%3E' => '&gt;');


Replace

if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            $HTTP_GET_VARS[$key] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }


with

if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            unset($HTTP_GET_VARS[$key]);
            $HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }


Add

/**
     * Sanitize $_GET also, as we have used it in many places
     */
    if (is_array($_GET)) {
        foreach ($_GET as $key => $value) {
            unset($_GET[$key]);
            $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }


after

if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            unset($HTTP_GET_VARS[$key]);
            $HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }





Joachim

celeritycat

I am running version 134. Can I just extract the init.inc.php from the zip file you posted and upload it to my include folder?
I am not that comfortable adding the code myself, but I also don't want to lose the changes I have now.

Joachim Müller

as suggested above: there are a number of other minor fixes as well, so the recommended way would be to overwrite all coppermine core files with the ones from the package - please refer to the upgrade instructions that come with the package. However, if you feel like this is too much for you, you could just replace the file include/init.inc.php to just address the particular vulerability that caused the maintenance release.

luchtzak

Applied the update to version 1.3.5, is it possible that coppermine runs faster now. I noticed faster pageloads...

Joachim Müller

I don't think so. There hasn't been removal or optimization of any queries or similar. Guess it's just coincidence, or it feels faster. Good to hear though that you're happy with it ;D.

ergo


Tranz


Makc666

========================
MAKE A BACK UP OF YOUR GALLERY
TRY TO PATCH FIRST TIME IN A TEMPORARY FOLDER, IF YOU DO NOT FULLY UNDERSTAND ANY OF THE STEPS OUTLINED BELOW THEN THIS METHOD IS NOT FOR YOU

========================
There was a fix in 1.3.4 in file displayimage.php
http://forum.coppermine-gallery.net/index.php?topic=20933.0
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($iptc as $key=>$data) {
          $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
}

You have to remove it now manually if you upgrade from 1.3.3 with this fix:
http://forum.coppermine-gallery.net/index.php?topic=20933.0

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
First of all!
I removed
/cpg133/lang/
/cpg134/lang/
/cpg135/lang/
dirs before patching, as it:
- becomes to big
- there is problems with patching in Japan (etc. country) languages.
- you can update lang files manually

========================
Step 2.
Second I run:
diff -crbBN cpg133 cpg135 >cpg-1.3.3_to_1.3.5.patch
and
diff -crbBN cpg134 cpg135 >cpg-1.3.4_to_1.3.5.patch

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-new

========================
Step 4.
Also you must have to copy these files into your directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php

You can take them from cpg1.3.3.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download
or
You can take them from cpg1.3.4.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download

========================
Step 5.
Put your patch file into:
/coppermine-new/cpg-1.3.3_to_1.3.5.patch
or
/coppermine-new/cpg-1.3.4_to_1.3.5.patch

========================
Step 6.
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.3_to_1.3.5.patch
or
patch -cl -d /coppermine-new/ -p1 < /coppermine-new/cpg-1.3.4_to_1.3.5.patch
In this case you will see all results on your screen.
So make your Scroll Buffer big enough.
It will be about 1200 lines!

========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.

###########################
###!!! READ THIS ONE !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there is no problems with patching of that part of code.
Word "failed" means there was some problem.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
below for example it is "zipdownload.php.rej"
and look what the patch couldn't change and fix that manually.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

Word "done" means that patch go throw all "cpg-1.3.3_to_1.3.5.patch" file.

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.
Run: http://your.gallery.com/update.php

- If you have not already done so, create a folder called "edit" within your "albums" directory - this folder will be used by coppermine as a temporary folder, do not ftp-upload files there. Make sure the new "edit"-folder is CHMODed the same way your albums-directory is (755 or 777, depending on your server's config)
- Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php). This will update your coppermine install by making all necessary changes in the database.

Taken from:
/cpg135/docs/index.htm#13
3.4 Upgrading from cpg1.2.0rc2 or better to version cpg1.3.5

========================
That it!
(c) Makc666 :)

makc666@newmail.ru
makc666@yahoo.com

Joachim Müller

above posting by Makc666 does not decribe the upgrade procedures suggested by the coppermine dev team - it's just Makc666's idea how to do things. Some of the steps he outlines are just plain wrong in my opinion. Although we welcome user contributions, I disagree with posting something that looks like a detailed readme/howto. Makc666 failed to say why in his opinion the upgrade steps should be altered in the way he describes. In the future, please post why you think something's wrong with our suggested upgrade instructions instead of boldly posting a guide of your own.

Joachim

Makc666

My patch files are for those people who have a lot of MODES installed in their galleries.
So they have only to apply my patch with out any new files upload.
This system is 100% the same as patch files for phpBB 2.x forum which is used there.
I didn't say that you upgrade instructions is bad. But they only sutable for galleries with out any modifications.
Thanks for your reply.
P.S. I just try to help people who know what I am posting.

Tarique Sani

@Makc666 - thanks, this indeed is the correct way to patch an existing install if you have lots of MODs installed and is for people who know what they are doing :)

@Gaugau - I have added an additional disclaimer to Makc666's original post
SANIsoft PHP applications for E Biz

Satyr

I have done like in the tuto of GauGau. Thank's Joachim!  :)
BTW, i am big fan of coppermine!  ;D
Kein Support über PN. Bitte im Forum posten, dann ist anderen auch geholfen.

http://www.gothicmodels.net/gothicmodels/gallery/

Testuser: Test23 PW: 123456

viciouz

Though I dont know much about php programming,  I did apply this fix to my coppermine installation and my pages also seem to be loading faster.  Just thought I would throw that in.

Quick note: "Thanks a lot for all the help provided here, Ive always found answers within minutes when I had problems with configuration, layout, etc...
Ive used coppermine on four different websites so far and I find out something new every time.  Ive not yet seen a better photo gallery"

Thanks Again.

BlackCactus

OK not sure tho,
was in my fantastico noticed update for coppermine, so  I proceeded with update maint fix, one thing im a back-up freak "thank God"when I went to my gallery noticed it had changed the igames template back to original state,I had modded the menu and added a homepage link to my site.now it wasn't even a big fix for me to revert it back by adding the 4 lines of code in english.php and igames/theme.php that I had revised in previous version.. Thought I just let others know, now I just made my own theme folder using igames theme and created new lang/english.php file and in the admin panel pointed to the new directory and edited styles.css ,template.html ,theme.php to point to new directory..That is what i get for being lazy in first place,but I was fortunate that I had not heavily modded the Igames theme....

P.S.
B.T.W. Best PhotoGallery in the World by far , Keep it coming, you guys are great and I appreciate all your time and hard work!!!