Security fix for coppermine: EXIF XSS vulnerability *MUST READ* Security fix for coppermine: EXIF XSS vulnerability *MUST READ*
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security fix for coppermine: EXIF XSS vulnerability *MUST READ*

Started by Joachim Müller, August 19, 2005, 08:37:27 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Joachim Müller

A XSS vulnerability has been found in EXIF data. As Coppermine is capable of displaying EXIF data, everybody who runs coppermine (any version) will have to apply this security fix as soon as possible:
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.
  • users running any previous version should upgrade to cpg1.3.4, as there are several other things that have been fixed. If you can't do this now, make sure to fix the vulnerability: Edit displayimage.php with a text editor, find    if (isset($exif) && is_array($exif)) {and replace with    if (isset($exif) && is_array($exif)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($exif as $key=>$data) {
              $exif[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }

    Next, find
    if (isset($iptc) && is_array($iptc)) {
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }

    and replace with
    if (isset($iptc) && is_array($iptc)) {
            //Sanitize the data - to fix the XSS vulnerability - Aditya
            foreach ($iptc as $key=>$data) {
              $iptc[$key] = htmlentities(strip_tags(trim($data,"\x7f..\xff\x0..\x1f")),ENT_QUOTES); //sanitize data against sql/html injection; trim any nongraphical non-ASCII character:
            }
            if (isset($iptc['Title'])) $info[$lang_picinfo['iptcTitle']] = trim($iptc['Title']);
            if (isset($iptc['Copyright'])) $info[$lang_picinfo['iptcCopyright']] = trim($iptc['Copyright']);
            if (!empty($iptc['Keywords'])) $info[$lang_picinfo['iptcKeywords']] = trim(implode(" ",$iptc['Keywords']));
            if (isset($iptc['Category'])) $info[$lang_picinfo['iptcCategory']] = trim($iptc['Category']);
            if (!empty($iptc['SubCategories'])) $info[$lang_picinfo['iptcSubCategories']] = trim(implode(" ",$iptc['SubCategories']));
        }
    .
    Save your edits, then upload the edited file to your webserver, overwriting the exiting one.
  • users running the devel version cpg1.4.x: make sure to update all your files from the cvs as suggested in the sticky thread on the cpg1.4 testing/bugs board.
  • users running unsupported ports (especially those who run the deprecated nuke ports): we have no idea if the vulnerability exists in your code as well, but you should take a look at it and use the fix if applicable
I will package up a new stable release (cpg1.3.4) that will be available soon. It will contain the fix discussed in this thread.
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Joachim

[edit]
Fixed the bug described below, uploaded new file and changed the instructions above accordingly. - Aditya
[/edit]


pirx

Hi,

I replaced displayimage.php with the attached version. Now I get the following error messages:

Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 334
Warning: implode(): Bad arguments. in /var/www/cpg133/displayimage.php on line 336

Ralf

Tarique Sani

Had you enabled IPTC info before applying the above file - the line numbers you are saying are not the ones that were changed

[edit]
Yes - you are right bug is a side effect of the security fix :(
[/]edit]
SANIsoft PHP applications for E Biz

pirx

Hi,

the new displayimage.php fixed the problem. Thank you!

Ralf

stock

Just wanted to check you mean the yellow band that kept coming up with pic info on it? I did wonder and was going to ask, but now this seem to have cured it thanks.

Stock

vuud


Hi,

First off thanks for the work in releasing a security fix!

Second, how does it affect the beta 1.4?

Thanks

Vuud
Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

kegobeer

Grab the latest files from the CVS and you'll be good to go.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

vuud

Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

Tranz

If someone does not allow other people to upload files, would this keep the gallery from being vulnerable to this?

autumn_whispers2me

I'm running XP and am used to 2000 prof.  XP doesn't seem to allow extension changes, so how would I change the file from .txt to .php ?  Thanks.  :)

kegobeer

Tools - folder options - view - hide extensions for known file types.  Rename away.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

I have just released the new package cpg1.3.4 that contains above mentioned fix - see the very first posting in this thread.

maolu

Quote from: GauGau on August 19, 2005, 08:37:27 AM
[edit GauGau]
New package released: a brand new package cpg1.3.4 has been released that contains the above mentioned fix. - Download cpg1.3.4
[/edit]

Everytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware.
I tested on several machines and since this thing started this morning (italian time) i suppose it's related to this bug, but even if i upload the new coppermine version (1.3.4) the problem still remains.

I have to say the problem appears ONLY in Coppermine's pages and you can find it here (if you dare...) www.maolu.it/gallery

Could this be related to the XSS vulnerability?

A kind thanks for your work

maolu

OK solved...

i wasn't able to see the changings 'cause of my workingplace's proxy.

Excuseme everybody
:-[

canelli

QuoteEverytime I visit my coppermine gallery a Microsoft Outlook Installer takes place and i cannot understand the reason why, but it really seems some kind of malware

I'm visiting your gallery and no strange action take place.  You are not using exiff data in your picture. so your problems are not related with tihs bug.  Check your PC, clear the bowser cache, and try again

claudio

Joachim Müller

maolu has already resolved the issues he/she experienced: it wasn't coppermine acting up, but improper proxy settings. The whole issue is not related to the XSS vulnerability nor the fix, so I'm marking the postings that deal with it as "invalid".

@all: please do only reply to announcement threads like this one if you have something to say that everyone could benefit from (e.g. a broken link or similar). Individual issues you might consider to be related to XSS vulnerabilities should not go into this thread - start a new thread instead on the support board. Help us to keep announcement threads clean and focused on the issues they deal with. If announcement threads drift to much or contain irrelevant information, other users might miss important stuff because of the "background noise". We had to lock most announcement threads soon after they were started because people replied with irrelevant issues. Try not to mess with this thread as well, it'd be a pity if we had to lock it as we had to in the past.

odie3

Question:

This file [displayimage.php] makes a Coppermine install 1.3.3 into 1.3.4?  Or should 1.3.3 users download 1.3.4 release and upgrade?  I hope this reply is okay in this thread, if not sorry.
Odie3

Joachim Müller

Quote from: GauGau on August 19, 2005, 08:37:27 AM
  • users running cpg1.3.3 should download the file attached, rename it from "displayimage.txt" to "displayimage.php" and upload it to their webserver into the coppermine root folder, replacing the existing file on the server.

odie3

Yes I read that but I guess what I really wanted to know if I should update my Coppermine to version 1.3.4 [which I assume is stored in the DB].
Odie3

Nibbler

You don't need to do anything with your database. The version number is stored in include/init.inc.php