Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability

[Joachim Müller]

The Coppermine dev team announces the release of cpg1.4.6.
The new release does not contain new features (compared to previous versions of cpg1.4.x), but contains fixes for several minor issues. It takes care as well of the ".rar"-exploit (that actually isn't a Coppermine bug, but a badly implemented feature of the Apache webserver that needed fixing). All Coppermine users are strongly encouraged to upgrade their coppermine version as soon as possible. Upgrade instructions are included in the package (refer to the index file inside the docs folder).

The new package contains all language files that existed up till now (compared to cpg1.4.5, a few new language files have been added).

Get the new release cpg1.4.6 here: http://prdownloads.sourceforge.net/coppermine/cpg1.4.6.zip?download

As suggested above, cpg1.4.6 does not only fix the .rar vulnerability, but several other (minor) issues as well, so everyone should upgrade as suggested. However, if you have a heavily-modified version of coppermine running on your server and can't do the full update, you should at least apply the fix for the ".rar-exploit". To do so, edit include/functions.inc.php with a plain-text editor, find

Code Select Expand

function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;

  return str_replace($forbidden_chars[0], '_', $str);
}and replace with

Code Select Expand

function replace_forbidden($str)
{
  static $forbidden_chars;
  if (!is_array($forbidden_chars)) {
    global $CONFIG, $mb_utf8_regex;
    if (function_exists('html_entity_decode')) {
      $chars = html_entity_decode($CONFIG['forbiden_fname_char'], ENT_QUOTES, 'UTF-8');
    } else {
      $chars = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;', '&nbsp;', '&#39;'), array('&', '"', '<', '>', ' ', "'"), $CONFIG['forbiden_fname_char']);
    }
    preg_match_all("#$mb_utf8_regex".'|[\x00-\x7F]#', $chars, $forbidden_chars);
  }
  /**
   * $str may also come from $_POST, in this case, all &, ", etc will get replaced with entities.
   * Replace them back to normal chars so that the str_replace below can work.
   */
  $str = str_replace(array('&amp;', '&quot;', '&lt;', '&gt;'), array('&', '"', '<', '>'), $str);;
  $return = str_replace($forbidden_chars[0], '_', $str);

  /**
  * Fix the obscure, misdocumented "feature" in Apache that causes the server
  * to process the last "valid" extension in the filename (rar exploit): replace all
  * dots in the filename except the last one with an underscore.
  */
  // This could be concatenated into a more efficient string later, keeping it in three
  // lines for better readability for now.
  $extension = ltrim(substr($return,strrpos($return,'.')),'.');
  $filenameWithoutExtension = str_replace('.' . $extension, '', $return);
  $return = str_replace('.', '_', $filenameWithoutExtension) . '.' . $extension;

  return $return;
}

The maintenance release cpg1.4.6 of course contains all previous fixes of the 1.4-series as well as several minor issues that have been reported on the bugs board. Please review the changelog that comes with the package for details.

Please do not clutter this announcement thread with individual support requests or similar, only replies that deal with the actual release are allowed - all unrelated replies will be deleted without further notice.
If you have issues with upgrading your coppermine install, post on the cpg1.4.x upgrading sub-board (after having read the docs and after having searched the board).

Joachim
- Coppermine project manager -

[Joachim Müller]

This might not be obvious to everybody: the maintenance release and hotfix will not cure infected webspace (i.e. pages that have fallen victim to the xxx.php.rar exploit). It will only keep sites that haven't been hit by the attack so far from being vulnerable.

[Joachim Müller]

I removed a reply to this thread for the same reason I posted in my edit at the top of "    
Patch file from 1.4.4 to 1.4.5 for modified by MODs sites ". Start a thread of your own, and don't make your reply stand out unnecesarily. The method descibed in your posting is not meant for everybody, only for very advanced users. Those advanced users should be capable to follow your instructions in the thread mentioned above.

[pacimir]

What about 1.3.5 ?
Is there fix for it ?

[Joachim Müller]

yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.

[birddog]

 Thank you GauGau for update.

[jon_miner]

yes: the fix is to upgrade. If you don't want to/can't, then apply the suggested hotifx. Don't ask cpg1.3.x-related questions on a thread that deals with the announcement of another version.

1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

jon

[Paver]

1. Don't be an ass when someone asks a question.  This thread is not only about the 1.4.6 version, it's also about protecting against the .rar vulnerability.
2. The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

Let's try some understanding.  I think it's clear from Joachim's post that he assumed the hotfix works for 1.3.x.  This is a mistaken assumption, but that's all it is: a mistake.

So let's move on and address your report that the hotfix is not applicable to 1.3.x since there is no function replace_forbidden().  I am looking into writing a hotfix now.  It will be slightly more complicated than the 1.4.x fix.  We need to move this discussion to the cpg1.3 board.  I don't think there's a thread over there now.  I'll post once I have written the hotfix with a link here.

edit: Instead of "now", let's say "today or tomorrow".  There are about a dozen or so forbidden-character replacements in 5 scripts for 1.3.5.  Now I see why a separate function is useful.  I'm thinking adding the function and then replacing those 5 references to function calls is probably the best way to go (and easiest to write up as a hotfix).

[Joachim Müller]

The "hotfix" doesn't apply to 1.3.x, is there a "hotfix" for 1.3.x, or are we all just left out to dry?

As Paver suggested: there apparently is no hotfix for cpg1.3.x available yet. I'm glad he volunteered to come up with one.
Please keep in mind though that support for cpg1.3.x is running out pretty soon. All who run cpg1.3.x should seriously consider upgrading now.
I find it rude though to reply with cpg1.3.x issues on a thread that is clearly labelled cpg1.4.x-only, with a clear statement in the initial announcement not to post unrelated things, as you're making this thread useless for the users it was intended for (the vast majority of coppermine users is already running cpg1.4.x).

[Paver]

The HOTFIX for Coppermine 1.3.x is available here:
http://forum.coppermine-gallery.net/index.php?topic=32537.0

If you have any questions at all, support or otherwise, reply to that post, *not* here.

[Xerom]

This has been fixed by coppermine, however if you want to know how to deny execution of scripts in any folder, you can create a .htaccess file and place it into the folder then add the following to it:

RemoveHandler cgi-script .pl .py .jsp .asp .htm .shtml .sh .cgi .php
RemoveHandler php5-script .php

Instead of executing the script it just displays the script code as text in the browser

As a precaution I placed this in /albums/userpics/.htaccess and /albums/edit/.htaccess seems to have solved my problem and peace of mind.