cpg1.4.21 Security release - upgrade mandatory! cpg1.4.21 Security release - upgrade mandatory!
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

cpg1.4.21 Security release - upgrade mandatory!

Started by Joachim Müller, March 02, 2009, 09:08:40 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joachim Müller

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.20 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.21 should update immediately by downloading the latest version from the download page page and following the upgrade steps in the documentation.  For those who want to apply the vulnerability fix manually to their Coppermine installation, read the message that follows this one (link).

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.21 released?
The release covers a recently discovered vulnerability that allows (if unpatched) a user to launch a CSRF attack (definition) against your website (milw0rm exploit 8114 and 8115).  The vulnerability is due to the processing of the bbcode tags [ i m g ] and [ u r l ].  The attack that can be launched through these tags can be wide-reaching and all gallery administrators must take this seriously.  Since cpg1.4.x is a stable release package, the Coppermine development team could not address this vulnerability without a large change in the way forms are handled.  So the solution is to remove the correct processing of the two bbcode tags, [ i m g ] and [ u r l ].  This is not a final solution but it is necessary to address this serious vulnerability.  The Coppermine dev team is working on a way to handle these bbcode tags and will post here with more information.  You can read information about how these tags are now processed and how to hack in your own solution in the bbcode section of the documentation.

Additionally, cpg1.4.21 includes fixes for the following non-security related issues:
  • Fixed HTML special characters in referer for hit/vote stats (thread)
  • Fixed converting 'search_phrase' from array to string for table 'hit_stats'
  • Fixed 'unknown' browser field in hit_stats table (thread)
  • Fixed invalid query limit in 'random' meta-album in certain cases (thread)
  • Fixed 'Selecting private pics as a category thumbnail' issue (thread)

Thanks to StAkeR at milw0rm who discovered the vulnerability.

The Coppermine Team

Paver

To apply the fix manually for the CSRF vulnerability described above, do the following.  However, please note that you will not be applying any of the other non-security related bug fixes included in 1.4.21 and you will also not be applying any other fixes included in previous versions before 1.4.21 unless you also apply every single one of them manually.  It is strongly recommended that you update fully to version 1.4.21 by following the instructions above.

Replace the function bb_decode in file include/functions.inc.php with the following code:
// Allow the use of a limited set of phpBB bb codes in albums and image descriptions
// Based on phpBB code

/**
* bb_decode()
*
* @param $text
* @return
**/

function bb_decode($text)
{
    $text = nl2br($text);

    static $bbcode_tpl = array();
    static $patterns = array();
    static $replacements = array();

    // First: If there isn't a "[" and a "]" in the message, don't bother.
    if ((strpos($text, "[") === false || strpos($text, "]") === false)) {
        return $text;
    }

    // [b] and [/b] for bolding text.
    $text = str_replace("[b]", '<b>', $text);
    $text = str_replace("[/b]", '</b>', $text);

    // [u] and [/u] for underlining text.
    $text = str_replace("[u]", '<u>', $text);
    $text = str_replace("[/u]", '</u>', $text);

    // [i] and [/i] for italicizing text.
    $text = str_replace("[i]", '<i>', $text);
    $text = str_replace("[/i]", '</i>', $text);

    // colors
    $text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
    $text = str_replace("[/color]", '</span>', $text);

    // [i] and [/i] for italicizing text.
    //$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
    //$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);

    if (!count($bbcode_tpl)) {
        // We do URLs in several different ways..
       
        // **** WARNING *******************************************************
        // The [url] tag can be used for a serious attack against your website.
        // So [url] tags are no longer processed to show links.
        // This simple action here is not an ideal solution but is necessary.
        // Now, [url] tags are processed as follows:
        // [url=link]text[/url] shows 'text' with a dummy image for the link.
        // [url]link[/url] shows 'link' as plain text with a dummy image.
        // The following line is the original line that processed [url]:
        // $bbcode_tpl['url']  = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
        // ********************************************************************
        // See this thread on the Coppermine forum for more information:
        // http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
        // Please read this thread carefully before deciding to process [url].
        // ********************************************************************
        $url_removed = '{URL}';  // put the image URL in the tooltip/mouse-over
        $bbcode_tpl['url']   = '{DESCRIPTION}<img src="images/descending.gif" alt="" title="' . $url_removed . '" />';
        $bbcode_tpl['email'] = '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';

        $bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
        $bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);

        $bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
        $bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);

        $bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
        $bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);

        $bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
        $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);

        $bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);

        // [url]xxxx://www.phpbb.com[/url] code..
        $patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
        $replacements[1] = $bbcode_tpl['url1'];

        // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
        $patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
        $replacements[2] = $bbcode_tpl['url2'];

        // [url=xxxx://www.phpbb.com]phpBB[/url] code..
        $patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
        $replacements[3] = $bbcode_tpl['url3'];

        // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
        $patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
        $replacements[4] = $bbcode_tpl['url4'];

        // [email]user@domain.tld[/email] code..
        $patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
        $replacements[5] = $bbcode_tpl['email'];

        // [img]xxxx://www.phpbb.com[/img] code..
        // **** WARNING *******************************************************
        // The [img] tag can be used for a serious attack against your website.
        // So [img] tags are no longer processed to show the specified images.
        // This simple action here is not an ideal solution but is necessary.
        // Now [img] tags will show a dummy image instead as a placeholder.
        // ********************************************************************
        // The following line is the original line that processed [img]:
        // $bbcode_tpl['img'] = '<img src="{URL}" alt="" />';
        // ********************************************************************
        // See this thread on the Coppermine forum for more information:
        // http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
        // Please read this thread carefully before deciding to process [img].
        // ********************************************************************
        $img_removed = '{URL}';  // put the image URL in the tooltip/mouse-over
        $bbcode_tpl['img'] = '<img src="images/thumbnails.gif" alt="" title="' . $img_removed . '" />';
        $bbcode_tpl['img'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);
        $patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
        $replacements[6] = $bbcode_tpl['img'];
    }
    $text = preg_replace($patterns, $replacements, $text);
    return $text;
}

Pascal YAP

#2
This Announcement thread in French / Annonce en Français :
http://forum.coppermine-gallery.net/index.php/topic,58345.0.html

Joachim Müller

#3
It is important that all users understand the following facts:
  • It's mandatory to perform the upgrade. You can not sit and wait untill your gallery get's hacked because of your reluctance to upgrade. Cleaning up a hacked gallery is much harder than performing frequent backups and upgrading whenever it is necessary.
  • Upgrading to cpg1.4.21 will result in two features getting disabled: you as admin as well as your registered users and your visitors (guests) will no longer be able to use the bbcode tags [ i m g ] and [ u r l ] in comments or upload descriptions. If you have never used those features, then fine - you won't miss anything. Those who actually have used those bbcode tags need to understand that it's not an option not to upgrade just because you're afraid to lose a feature.
  • Currently (as I'm typing this posting), there haven't been reports yet that the exploit mentioned in this thread is being actively used in the wild. But you can be absolutely sure that there will be people who will use those exploits sooner or later. By the time you're reading this, the attack against your site may already be scheduled, so don't hesitate - upgrade right now!
  • If you should already have fallen victim to the exploit mentioned in this thread or any other vulnerability in previous versions that have lead to your site getting hacked, you should perform the steps described in the thread "Yikes, I've been hacked! Now what?". Just performing an upgrade after having been hacked is not enough!

Joachim Müller

#4
An unrelated reply to this thread posted by CoolZero has been split and the remainder was moved to the board General discussion (no support!).

Why on earth can't you at least read the thread you're replying to:
Quote from: Joachim Müller on March 02, 2009, 09:08:40 AMDo not post your issues to this announcement thread - your post will be deleted without notice.
is quite easy to understand. It means: don't reply to this thread. CoolZero is responsible for the fact that we have to lock down this thread as well, as so many threads before. This is selfish and rude, as it disallows legitimate replies to this thread (discussions of the actual release issues). Locking *sigh*