php security issue / coppermine

[Joe Belmaati]

As some of you may know, it was revealed last night that php versions < 4.3.10 (the latest version) have serious security related issues that relate to the functions serialize(); and unserialize(); which are used for cookie management. An opening makes it possible to roll out config files and harvest usernames passwords to database etc etc. There is a fix for this problem for phpbb as described in this thread:

http://forum.coppermine-gallery.net/index.php?topic=12869.0

Unfortunately, the code necessary to use this exploit is publicly available and short of asking everyone to upgrade to php version 4.3.10, I am wondering if a solution can be found to work with Coppermine before the databases start disappearing.

Any thoughts on this...?

Sincerely,
Joe Belmaati
Copenhagen Denmark

The following files in CPG use serialize(); / unserialize();

addfav.php, displayecard.php, ecard.php, upload.php, versioncheck.php

[Tranz]

I don't think webhosts really have a choice. They must upgrade. Not doing so is irresponsible.

That said, the dev team is looking into the issue.

[Joachim Müller]

the exploit uses the weakness of two php commands - Tarique (Coppermine head dev) is looking into a method that allows us to change the coppermine core code to avoid the two critical commands. As TranzNDance already pointed out: this will fix PHP's weakness only for the coppermine code; other well-known and established applications use the vulnerable commands as well, so you'd have to fix all other PHP coding on your server as well. The best option is to patch PHP and the Zend Optimizer as suggested (or have your webhost fix it); all other options are no real cure, but only fiddling with symptoms.

Joachim

[TheKog]

I use phpBB and CPG, bridges and sharing a database. I also use the attachmod for phpBB. Prior to tonite I was using:
cpg 132
phpBB 2.0.10
attachmod 2.3.10

I upgraded phpBB to 2.0.11, and attachmod to 2.3.11, and all still appears to be working. I have not modded CPG in anyway other than to put in my own theme. I am using the default bridging and have not had any errors come up, as Joe did. I'm not sure why but...

I sure hope ya'll can do something to close any issues with CPG 132 using PHP 4.3.9. My host, who uses cpanel and many others are finding numerous compatibility issues with the 4.3.10 interpreter, zend, etc so are dragging their feet to update. This is also why other popular php server apps are updating their code as well as recommending you update PHP when you can.

Regards,
Mike

[Nibbler]

If your host hasn't updated yet I'd be seriously considering switching hosts.

[Tarique Sani]

After due consideration I have concluded that we should not cripple the CPG code with patches for problems which are not really CPG code issues and will not be really solved by substituting the two functions.

Upgrade to PHP 4.3.10 is the real answer and the host has to do it...

[Joe Belmaati]

Contrary to the phpbb santy bug which took over an entire server, it is my understanding that the weakness in 4.3.9 is related to stand alone applications such as phpbb, Coppermine or phpMyAdmin, correct?

[Hein Traag]

<snip>"other well-known and established applications use the vulnerable commands as well, so you'd have to fix all other PHP coding on your server as well. The best option is to patch PHP and the Zend Optimizer as suggested (or have your webhost fix it); all other options are no real cure, but only fiddling with symptoms."</snip>

Joachim

@Joe
The santy bug exploit a weakness in the PHP language. Especially version 4.3.9. So the only real logical option you have is to update the language those individual applications are based on and not the the applications themselves. Wouldn't make sense to edit the applications when you can solve the problem by updating the language they are written in.

[TheKog]

Maybe CPG has such a small user population that you can take this stance and ignore the compatibility issues with the latest PHP. PHP server apps such as phpBB that have significantly large user bases are modifying their code as well as recommending an upgrade of PHP when it is possible. They recognize that hosts have to consider compatibility of all the applications and may not be able to upgrade immediately until the compatibility issues are worked out. They recognize that their users' security is paramount and even more important than whether their code is "crippled" temporarily.

If this is the position of the CPG group we will be taking down our gallery for the time being.

[Joachim Müller]

The recommended solution is to upgrade your PHP and Zend Optimzer version as suggested. The phpbb staff was able to come up with an easy solution that fixes things for the time being (while a user can't/won't update as suggested)  by using a workaround (they had to, as it was an epedemic) - it's not that easy to find a workaround for coppermine, as the commands in question are something that core parts of coppermine rely on. If there were an easy fix, we'd post it. Most apps written in PHP are vulnerable as long as people use an unpatched box - do you suggest thousands of developers for thousands of applications should find a workaround that makes their application immune against the exploit?
To find an analogy to the real world: although car manufacturers realize that people can get killed when someone fires a gun at them while they sit in a car, they don't use bullet-proof glass and armored metal when building new cars. Instead, they rely on authorities to prevent people from getting shot, even if there's a mad assassin on the loose.
When the worm Sasser broke loose in the internet, people were recommended to patch their OS to stop their boxes from being vulnerable to attacks on the LSASS component - I have little sympathy for users who still have unpatched Windows installs.
People who run their own server (webhosts as well as individuals) have the responsibility to maintain/update/patch their systems constantly - the current worm epedemic is just forcing them to do so immediately. Maybe this helps to chill down the php hype of the past years - after all it's just an app itself that can contain bugs as well as any other piece of software.

Joachim

[Tranz]

phpBB also recommends that everyone should upgrade and that the issue is beyond their control and it affects many sites.

The compatibility issues with php v 4.3.10 have been resolved with Zend optimizer, as GauGau pointed out. If other scripts still have issues, that is their problem that they have to fix.

It is like if there were a recall on a car model due to a defect that would make it blow up when going up a hill. Owners can get it fixed, or avoid going up hills. But they can't expect the world to be leveled of all inclines to suit their defective cars.