Patch for Coppermine 1.4.3 remote code execution - Update NOW! Patch for Coppermine 1.4.3 remote code execution - Update NOW!
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Patch for Coppermine 1.4.3 remote code execution - Update NOW!

Started by Tarique Sani, February 18, 2006, 01:41:45 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Tarique Sani

A remote code execution flaw was detected in Coppermine Picture Gallery 1.4.3 - this affects installations where user registrations are allowed and users are allowed to upload files. However it is strongly recommended that everyone patches their installations.

To manually patch your install open the file include/init.inc.php find the line
$USER['lang'] = $_GET['lang']; 
This is around line 301 and replace it with the line below
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];

next open the file docs/showdocs.php find the line

@include($file);

This is around line 51 and replace it with the line below

@include('index.htm');


Thats it! If editing code is not your cup of tea then use the files in the zip attached

Thanks to  rgod http://retrogod.altervista.org/ for discovering these flaws and thanks to the dev team members Amit and Abbas for helping me fix this

Once again - this is a nasty one - PATCH NOW! or be OWNED!!

[edit GauGau]
New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"
[/edit]
SANIsoft PHP applications for E Biz

Tranz

Thank you Tarique, Amit, and Abbas. :)

I tried using CVS to do the update but the changes weren't there so I have committed the changes.

no1wammy

Patch applied. And I was just about to bridge my two forums, too.

$USER['lang'] = $_GET['lang'];
$USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
@include($file);
@include('index.htm');

Would you please explain what these four codes do, and how they related to the remote code execution flaw?

Paver

It is generally best to avoid giving a "how to" on security issues.  If you don't know why those lines are dangerous, all you need to know is that they are, and if you've applied the fixes, you're safe.

fredag

#4
On the front page of your web site, you call the security flaw which was recently discovered a "cross site scripting vulnerability". It seems you are deliberately playing down the seriousness of this security flaw. Secunia labels it "System access From remote" and "The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code." It seems to me that is rather more serious than just "cross site scripting".

Given the seriousness of the security flaw which was discovered, shouldn't you guys have released a new proper version of coppermine yesterday or the day before, and not just expect people to patch? By not releasing a new proper version, sysadmins can't tell their users to just upgrade to the latest version of coppermine, because your latest version (1.4.3) is vulnerable.

Also: The so-called "patch" you have outlined only work on version 1.4.3 and not older versions like 1.3.3. Perhaps you should post some info on the various versions of coppermine and their security status? Which is safe to use and which is not.

As Tarique described it: "This is a nasty one".


-fredag

Joachim Müller

1) cpg1.3.x isn't affected by the vulnerability as far as I can tell
2) we're currently working on a maintenance release

Tarique Sani

@freedag: Given the fact that only two files need to be replaced asking people to reinstall everything is being a plain PIA - for those who cannot patch a zip with correct files was provided...

While I agree that the website front page should be updated ASAP the points mentioned by Gaugau stand.

@Gaugau - time we declared 1.3.x as unsupported and removed all those downloads - Upgrade or perish!
SANIsoft PHP applications for E Biz

Nibbler

It's the same fix for 1.3, which is vulnerable.

find

$USER['lang'] = $HTTP_GET_VARS['lang'];

replace with

$USER['lang'] = ereg("^[a-z0-9_-]*$", $HTTP_GET_VARS['lang']) ? $HTTP_GET_VARS['lang'] : $CONFIG['lang'];

SpearCreations

I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D

SpearCreations

Quote from: SpearCreations on February 22, 2006, 03:59:29 PM
I have a question i just downloaded copperminegallery 1.4.3 lastnight now does this mean i have to also run the patch? just curious thank you kindly  ;D and if i do have to add the patch where do i exactly put it...keep in mind im computer stupid at this point but i did manage to get it up and running lastnight :)

Joachim Müller

yes, you have to apply the patch as well. Right now we're preparing a cpg1.4.4 maintenance release that will include the fix.
CPG1.4.3 or older doesn't contain the fix, you have to apply it manually.

SpearCreations

#11
ughhhhh i just new your were going to szay that...im not very good at php...and do i also have to download the maintaince as well.???..I assumed that the 1.43 was stable..and had all the upgrades thanks for your help!

Tranz

If you know how to make a backup copy of the file (for just in case), and edit text in wordpad or notepad, you can do it.

Or you can download the attachment that contains the files in the first post.

SpearCreations

well see i took a basic html course and opened up crimson editor search found and saved what i needed...now i just need to up load these new files to my website. plus i had my hubby stand behind me while i was doing it lol hes a computer tech person he can write java but not php... thanks for all your help  :)


solarian

I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...


Fabrian

has anyone noticed a slower load time?  I can't tell if it's the patch or my isp..

Nibbler

Any slowdown caused by the patch would be insignificant.

Joachim Müller

New package cpg1.4.4 that includes the above mentioned patch has been released, see announcement thread "Coppermine maintenance release cpg1.4.4 - upgrade as soon as possible"