Security fix for coppermine: EXIF XSS vulnerability *MUST READ* - Page 3 Security fix for coppermine: EXIF XSS vulnerability *MUST READ* - Page 3
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

Started by Joachim Müller, August 19, 2005, 08:37:27 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Joachim Müller


bazil749

As of 2nite 9/19/05 the ver. 1.3.4 that is up for download DOES NOT contain the fix.

I had to get it from this file....

Quote from: GauGau on August 19, 2005, 08:37:27 AM
A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  • users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find    if (isset($exif) && is_array($exif)) {and replace with    if (isset($exif) && is_array($exif)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($exif as $key=>$data) {
              $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }

    Next, find
    if (isset($iptc) && is_array($iptc)) {
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }

    and replace with
    if (isset($iptc) && is_array($iptc)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($iptc as $key=>$data) {
              $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    .
    Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  • users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  • users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]



Joachim Müller

it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

bazil749

No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

Quote from: GauGau on September 20, 2005, 08:18:50 AM
it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

Aditya Mooley

Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

bazil749

That link didin't work for me.  I used a couple differnet mirrors, this one for instance:

http://internap.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip


Hey, I'm not trying to accuse anyone of anything, I'm just saying that it ain't working for me.  Maybe the "fixes" are a bit different in truth, but the only thing that worked for me is the fix on this page...

Once again like I said, I never knew bout this problem before upgrading to the stable version I downloaded tonight.  Or maybe it's my configuration or something, who knows.  I'm just trying to help other people not go through the hours I spent trying to fix this.  Cuz when I read that the downloaded version was fixed, I was pulling my hair out wondering why it doesn't work.

Maybe you should just stick the fix here in the stable version instead of the "other" fix.  Just out of curiousity, what was the "other" fix?

Quote from: Aditya Mooley on September 20, 2005, 01:36:16 PM
Which mirror did you used to download the package?
I downloaded it from http://easynews.dl.sourceforge.net/sourceforge/coppermine/cpg1.3.4.zip and it has the fixes.

Though the fix in the latest stable version is a bit different than what is given in the first post, as GauGau said, both the versions are safe.

bazil749

I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.

Quote from: bazil749 on September 20, 2005, 01:02:09 PM
No they are not...that's what I'm trying to say.  Or maybe it's a problem with your mirrors....

The point is, I upgrade from 1.3.2 to 1.3.4 and I got this error tonight.  This is how I ended up in this forum.

Quote from: GauGau on September 20, 2005, 08:18:50 AM
it contains another syntax of the fix that does the same, but is cleaner, code-wise. Both versions are safe.

Aditya Mooley

Quote from: bazil749 on September 20, 2005, 01:55:44 PM
I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.
--- "Its Nice 2 BE Important but its more Important 2 Be NICE" ---
Follow Coppermine on Twitter

bazil749

Well I'm sorry to say that it's not working.  Maybe you need to check it again, but it's not working for me.  Maybe it's due to my particular images, who knows.  One thing is that I didn't get this error on all my images.  I don't know why.  And of course I don't get it at all if I turn the IPTC on Jpegs off completely.

Just trying to help here guys....

Quote from: Aditya Mooley on September 20, 2005, 02:04:50 PM
Quote from: bazil749 on September 20, 2005, 01:55:44 PM
I had to manually make the change on lines 334 and 336 and change the isset to isempty....That's the ONLY thing that worked for me.
The code which you changed is a part of a fix just to avoid the warning messages which were getting displayed after fixing the XSS vulnerability. The actual fix line 328 to 331 is present in the stable package.

DJMaze

There are 2 kinds of users in this world: satisfied and complainers.
Why do we never hear something from the satisfied users?
http://coppermine-gallery.net/forum/index.php?topic=24315.0

Albert

I've started thread /var/www/cpg134/displayimage.php on line 334 and if I understand this thread right, the problem should be fixed with newest downloads, but I used a download of yesterday. Maybe I had an old version in my cache. It would be good, if there is a md5sum at the website.

With this version I got the error:
b1b10229422583bdad5ca4ff44281ac5  cpg1.3.4.zip

I would like to add, that some exif and IPTC-fields are empty, although the info is in the image. Every Comment contains at the beginning ASCII

Albert

A few minutes ago I downloaded cpg1.3.4.zip from 3 different locations and md5sum still is b1b10229422583bdad5ca4ff44281ac5, which produces errors here. Does this version work for others or do we have to be patient for a new version? It is not a problem for me if it takes days, if the problem is solved, I want to know only, if I have to wait.

donnoman

Quote from: Makc666 on August 24, 2005, 12:14:03 AM
I think that you made a mistake in your first post...
I won't comment this, maybe the dev who took care of the fix wants to. In fact, the lines do the same, there is only a cosmetical issue.

Joachim

Quote

I think I may have been the dev that changed those two lines to !empty because in working with a specific image I uncovered the fact that isset will return true if its passed a null array. !empty will return false which is the reaction I felt was most appropriate.

Hekimoglu

Hello,

I have fixed displayimage.php but ı have an error when ı clik on photos..


Parse error: parse error, unexpected  ......../modules/coppermine/displayimage.php on line 577

Can you Help me???

Joachim Müller

Means that you haven't applied the fix as suggested. You should perform the actual upgrade instead of trying to fix only parts, especially if you don't understand what a parse error is. Don't clutter this thread with individual support requests.