Patch for Coppermine 1.4.3 remote code execution - Update NOW!

[lordprodigy]

I am using a moded 1.4.3, I would like to know which files were modified in the 1.4.4 release, so I can upgrade safely without loosing all the mods. Will it be sufficient, if I only apply the hotfix above ? Thanks

[Paver]

Other files were modified to incorporate bug fixes listed on the bugs board.  The documentation was also improved, notably with a more complete plugin section.

Download version 1.4.4 and you can do a "diff" with your current files to see the differences.  Or set up CVS on your computer so you can do updates with the Coppermine CVS: http://sourceforge.net/cvs/?group_id=89658.

[lordprodigy]

Thanks. will do that. But in the meantime the hotfix should be ok, right?

[Paver]

Yes, the hotfix described in this thread takes care of the only critical bug that must be fixed.

[Goosemoose]

I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...

RSS already exists in all SMF forums, though you can't narrow down which forum to see. I added the feed to my google home page.

[rbess]

Have a question related to this situation. I performed the update recommended by my server by using Fantasico. This of course caused my settings to change and not allow an unregistered user to view my album. Clicking on the allow button would not work because the settings would not save, so I got on here to look for the answer. I saw your manual installation of the code and did that, which got my album back to public, however now I can not login on the admin page anymore. It appears that my login and password are gone or it's not looking for it in the right place. So which file does that code live? Can I go back into that file and add my info without to much pain?

Thanks.

[Paver]

@rbess: You posted your support question on the upgrade board where it belongs.  Please do not double-post.  If you think your issues are related to this fix, reference it on your original post; don't post in both places.

At first glance, I cannot see how your problems are related to the fix described in this thread.  Regardless, please keep your support question in the appropriate thread so it can be tracked and resolved in an organized manner.

[kuest]

Some lines above from the vulnerable point I find this:
"// Process theme selection if present in URI or in user profile
if (!empty($HTTP_GET_VARS['theme'])) {
    $USER['theme'] = $HTTP_GET_VARS['theme'];"

isnt this the same problem of overtaking unproved "_GET[]".??

[Joachim Müller]

as this seems to cause confusion for some users: the fix mentioned in this thread has gone into cpg1.4.4. However, applying this patch to a cpg1.4.3 install doesn't make it a cpg1.4.4 gallery. There are a lot of other minor bug fixes has gone into cpg1.4.4 as well.
Users should not only apply this patch, but actually upgrade to cpg1.4.4 as suggested in the upgrade section of the docs that come with the new package.

[Joachim Müller]

Split unrelated reply to this announcement thread into a separate thread  cpg1.4 upgrading.

http://forum.coppermine-gallery.net/index.php?topic=29192.0


From now on, all unrelated replies and individual support requests to this thread will get deleted without further notice, the posters will be banned for a week .