Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

[Joachim Müller]

please use the code from the cvs, stable branch

[bazil749]

As of 2nite 9/19/05 the ver. 1.3.4 that is up for download DOES NOT contain the fix.

I had to get it from this file....

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:

• users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  
• users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find
  Code Select Expand
      if (isset($exif) && is_array($exif)) {and replace with
  Code Select Expand
      if (isset($exif) && is_array($exif)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($exif as $key=>$data) {
          $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
  Next, find
  
  Code Select Expand
  if (isset($iptc) && is_array($iptc)) {
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }
  and replace with
  
  Code Select Expand
  if (isset($iptc) && is_array($iptc)) {
        //Sanitize the data - to fix the XSS vulnerability - Aditya
        foreach ($iptc as $key=>$data) {
          $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
        }
        if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
        if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
        if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
        if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
        if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
    }
.
  Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  
• users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  
• users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable

I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]

[Joachim Müller]

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

[bazil749]

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

[Aditya Mooley]

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.

[bazil749]

That link didin't work for me.  I used a couple differnet mirrors, this one for instance:

http://internap.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip


Hey, I'm not trying to accuse anyone of anything, I'm just saying that it ain't working for me.  Maybe the "fixes" are a bit different in truth, but the only thing that worked for me is the fix on this page...

Once again like I said, I never knew bout this problem before upgrading to the stable version I downloaded tonight.  Or maybe it's my configuration or something, who knows.  I'm just trying to help other people not go through the hours I spent trying to fix this.  Cuz when I read that the downloaded version was fixed, I was pulling my hair out wondering why it doesn't work.

Maybe you should just stick the fix here in the stable version instead of the "other" fix.  Just out of curiousity, what was the "other" fix?

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.

[bazil749]

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

[Aditya Mooley]

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.

[bazil749]

Well I'm sorry to say that it's not working.  Maybe you need to check it again, but it's not working for me.  Maybe it's due to my particular images, who knows.  One thing is that I didn't get this error on all my images.  I don't know why.  And of course I don't get it at all if I turn the IPTC on Jpegs off completely.

Just trying to help here guys....

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.

[DJMaze]

Probably fixed the issue check revision 1.15 (should be available within 3 hours)
http://cvs.sourceforge.net/viewcvs.py/coppermine/stable/displayimage.php

[Albert]

I've started thread /var/www/cpg134/displayimage.php on line 334 and if I understand this thread right, the problem should be fixed with newest downloads, but I used a download of yesterday. Maybe I had an old version in my cache. It would be good, if there is a md5sum at the website.

With this version I got the error:
b1b10229422583bdad5ca4ff44281ac5  cpg1.3.4.zip

I would like to add, that some exif and IPTC-fields are empty, although the info is in the image. Every Comment contains at the beginning ASCII

[Albert]

A few minutes ago I downloaded cpg1.3.4.zip from 3 different locations and md5sum still is b1b10229422583bdad5ca4ff44281ac5, which produces errors here. Does this version work for others or do we have to be patient for a new version? It is not a problem for me if it takes days, if the problem is solved, I want to know only, if I have to wait.

[donnoman]

I think that you made a mistake in your first post...

I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim

I think I may have been the dev that changed those two lines to !empty because in working with a specific image I uncovered the fact that isset will return true if its passed a null array. !empty will return false which is the reaction I felt was most appropriate.

[Hekimoglu]

Hello,

I have fixed displayimage.php but ı have an error when ı clik on photos..

Code Select Expand

Parse error: parse error, unexpected  ......../modules/coppermine/displayimage.php on line 577

Can you Help me???

[Joachim Müller]

Means that you haven't applied the fix as suggested. You should perform the actual upgrade instead of trying to fix only parts, especially if you don't understand what a parse error is. Don't clutter this thread with individual support requests.