Maintenance release cpg1.4.5 fixes directory traversal bug ("imei") - update now Maintenance release cpg1.4.5 fixes directory traversal bug ("imei") - update now
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Maintenance release cpg1.4.5 fixes directory traversal bug ("imei") - update now

Started by Joachim Müller, April 21, 2006, 09:05:43 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

The Coppermine dev team announces the release of cpg1.4.5.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several issues, most importantly the "imei bug" that made a directory traversal attack possible. All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).

The new package contains all language files that existed up till now (compared to cpg1.4.4, a few new language files have been added).

Get the new release cpg1.4.5 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.5.zip?download

As suggested above, cpg1.4.5 does not only fix the imei bug, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you must at least apply the fix for the imei bug. To do so, edit index.php (in coppermine's root folder) with a plain-text editor, findif (isset($_GET['file'])) {
    // Scrub: Remove '..' and leftover '//' from filename
    $file = str_replace('//','',str_replace('..','',$_GET['file']));
    $path = './plugins/'.$file.'.php';
and replace withif (isset($_GET['file'])) {
    // Scrub: Remove '..' and leftover '//' from filename
    $file = str_replace('..','',str_replace('//','',$_GET['file']));
    $fileValidationPattern = "/^([a-zA-Z0-9_\-]+)(\/{0,1}?)([a-zA-Z0-9_\-]+)$/";
    if (preg_match($fileValidationPattern, $file) == FALSE) {
            $file = ''; // something's fishy with the filename, let's drop it
    }
    $path = './plugins/'.$file.'.php';


Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).



Joachim
- Coppermine project manager -

Makc666

[Edit GauGau]
This posting of Makc666 was made to explain how to apply all cpg1.4.5 patches to an existing coppermine gallery that is heavily modified for advanced users who run their own webserver and who are familiar with the Lunix console. I had to step in and add this explanation for people who are not so tech-savy.

@Makc666: next time you reply to an announcement thread the way you did, make sure to properly explain what your posting is to be used for and what it does. People might otherwise get the impression that this is an alternative step-by-step explanation how they're suppossed to upgrade. It isn't. I also undid some of the heavy formating you applied, making your posting stand out more than the original announcement.

@all: For the majority of coppermine users, this posting does not apply. If you do not understand exactly what you're suppossed to do, then ignore this posting and upgrade as suggested in the docs.
[/edit]


========================
MAKE A BACK UP OF YOUR GALLERY
TRY TO PATCH FIRST TIME IN A TEMPORARY FOLDER

========================
Step 0.
All steps were made under FreeBSD.
You can read about patch here:
http://www.phpbb.com/support/documents.php?mode=install#upgradeSTABLE_patch

========================
Step 1.
How I make patch file?
I unpack cpg1.4.4.zip and cpg1.4.5.zip to cpg144 and cpg145 folders.
Then I removed dirs
/cpg144/lang/
/cpg145/lang/
before patching, as language files now use UTF-8 and I don't recommend them to be patched.

========================
Step 2.
Second I run in directory where cpg144 and cpg145 folders are:
diff -crbBN cpg144 cpg145 >cpg-1.4.4_to_1.4.5.patch

and get file: cpg-1.4.4_to_1.4.5.patch

========================
Step 3.
Then I made a copy of gallery folder which I was going to patch
cp -R coppermine coppermine-old-144

========================
Step 4.
Also you must have these files in your coppermine directory.
/coppermine/CHANGELOG
/coppermine/COPYING
/coppermine/install.php

I make so to avoid a lot of patch errors.

You can take them from cpg1.4.4.zip, as you need old one:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.4.zip?download

========================
Step 5.
Put your patch file into:
/coppermine/cpg-1.4.4_to_1.4.5.patch

========================
Step 6.
Run in /coppermine/ folder
patch -cl -d ./ -p1 < ./cpg-1.4.4_to_1.4.5.patch

You will see all results on your screen.
So make your Scroll Buffer big enough.
It will be a lot of lines, better make it about 5000.
From 1.4.4 to 1.4.5 I have around 1420 lines.

========================
Step 7.
Update your
/coppermine/lang/
dir with necessary files.
For example I use only Eng, Ger, Rus.

Get them in cpg1.4.5.zip:
http://prdownloads.sourceforge.net/coppermine/cpg1.4.5.zip?download

###########################
###!!! READ THIS ONE !!!###
###!!!   IMPORTANT   !!!###
###########################
During patch process you will (can) see two main information strings:
--> Hunk #3 succeeded at 216.
and
--> Hunk #1 failed at 1.

Example below.
Word "succeeded" means that there were no problems with patching of that part of code.
Word "failed" means there were some problems.

If you see "failed" for some file, you have to open file with name "FILENAME_WITH_ERROR.rej"
(below for example it is "zipdownload.php.rej")
and look what the patch couldn't change and fix that manually.

Word "done" means that patch go throw all "cpg-1.4.4_to_1.4.5.patch" file.

After all such fixes you will have to delete all *.rej and *.orig files from coppermine directory and subdirs!

###########################
###### EXAMPLE START ######
###########################

--------------------------
|diff -crbBN cpg132/xp_publish.php cpg133/xp_publish.php
|*** cpg132/xp_publish.php      Sat Jul 24 17:03:00 2004
|--- cpg133/xp_publish.php      Tue Apr 19 05:17:00 2005
--------------------------
Patching file xp_publish.php using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 205.
Hunk #3 succeeded at 216.
Hunk #4 succeeded at 333.
Hunk #5 succeeded at 571.
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|diff -crbBN cpg132/zipdownload.php cpg133/zipdownload.php
|*** cpg132/zipdownload.php     Sat Jul 24 17:03:00 2004
|--- cpg133/zipdownload.php     Tue Apr 19 05:17:00 2005
--------------------------
Patching file zipdownload.php using Plan A...
Hunk #1 failed at 1.
Hunk #2 succeeded at 57.
1 out of 2 hunks failed--saving rejects to zipdownload.php.rej
done

###########################
###### EXAMPLE END ########
###########################

========================
Step 8.

If the file install.php exists in the root directory, delete it. When performing an upgrade, it is not needed.

Run the file "update.php" in the coppermine directory once in your browser (e.g. http://yourdomain.tld/coppermine/update.php).
This will update your coppermine install by making all necessary changes in the database.

Taken from:
3.5 Upgrading from cpg1.4.0 or better to version cpg1.4.5
http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#14

========================
That it!
(c) Makc666 :)

makc666@newmail.ru

Makc666

One more note about relocate_server.php and why it appeared in 1.4.5 again.

Quote from: GauGau on April 21, 2006, 09:09:56 AM
In cpg1.4.5, I re-added a file named relocate_server.php to make sure that users who upgrade actually fix the older, dangerous version of that file. The file I have added to cpg1.4.5 is harmless and will only forward users to your index page.