Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: Patch for Coppermine 1.4.3 remote code execution - Update NOW!  (Read 98066 times)

0 Members and 1 Guest are viewing this topic.

lordprodigy

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 228
    • B514 ///
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #20 on: February 28, 2006, 12:10:26 am »

I am using a moded 1.4.3, I would like to know which files were modified in the 1.4.4 release, so I can upgrade safely without loosing all the mods. Will it be sufficient, if I only apply the hotfix above ? Thanks
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Paul Van Rompay
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #21 on: February 28, 2006, 12:25:31 am »

Other files were modified to incorporate bug fixes listed on the bugs board.  The documentation was also improved, notably with a more complete plugin section.

Download version 1.4.4 and you can do a "diff" with your current files to see the differences.  Or set up CVS on your computer so you can do updates with the Coppermine CVS: http://sourceforge.net/cvs/?group_id=89658.
Logged

lordprodigy

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Posts: 228
    • B514 ///
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #22 on: February 28, 2006, 12:38:07 am »

Thanks. will do that. But in the meantime the hotfix should be ok, right?
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Paul Van Rompay
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #23 on: February 28, 2006, 01:32:38 am »

Yes, the hotfix described in this thread takes care of the only critical bug that must be fixed.
Logged

Goosemoose

  • Coppermine newbie
  • Offline Offline
  • Posts: 13
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #24 on: March 01, 2006, 12:31:42 am »

I think this illustrates the usefulness of an announcements RSS feed.  I have subscribed to this forum for now, but RSS is obviously the way forward.  It would be quite simple to hand-code a static RSS file for the purpose.  Please consider this...

RSS already exists in all SMF forums, though you can't narrow down which forum to see. I added the feed to my google home page.
Logged

rbess

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #25 on: March 01, 2006, 06:48:58 am »

Have a question related to this situation. I performed the update recommended by my server by using Fantasico. This of course caused my settings to change and not allow an unregistered user to view my album. Clicking on the allow button would not work because the settings would not save, so I got on here to look for the answer. I saw your manual installation of the code and did that, which got my album back to public, however now I can not login on the admin page anymore. It appears that my login and password are gone or it's not looking for it in the right place. So which file does that code live? Can I go back into that file and add my info without to much pain?

Thanks.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1608
  • Paul Van Rompay
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #26 on: March 01, 2006, 07:33:09 am »

@rbess: You posted your support question on the upgrade board where it belongs.  Please do not double-post.  If you think your issues are related to this fix, reference it on your original post; don't post in both places.

At first glance, I cannot see how your problems are related to the fix described in this thread.  Regardless, please keep your support question in the appropriate thread so it can be tracked and resolved in an organized manner.
Logged

kuest

  • Coppermine newbie
  • Offline Offline
  • Posts: 5
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #27 on: March 01, 2006, 11:09:24 pm »

Some lines above from the vulnerable point I find this:
"// Process theme selection if present in URI or in user profile
if (!empty($HTTP_GET_VARS['theme'])) {
    $USER['theme'] = $HTTP_GET_VARS['theme'];"

isnt this the same problem of overtaking unproved "_GET[]".??

Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #28 on: March 03, 2006, 08:50:06 pm »

as this seems to cause confusion for some users: the fix mentioned in this thread has gone into cpg1.4.4. However, applying this patch to a cpg1.4.3 install doesn't make it a cpg1.4.4 gallery. There are a lot of other minor bug fixes has gone into cpg1.4.4 as well.
Users should not only apply this patch, but actually upgrade to cpg1.4.4 as suggested in the upgrade section of the docs that come with the new package.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
MOVED: Re: Patch for Coppermine 1.4.3 remote code execution - Update NOW!
« Reply #29 on: March 15, 2006, 07:18:40 pm »

Split unrelated reply to this announcement thread into a separate thread  cpg1.4 upgrading.

http://forum.coppermine-gallery.net/index.php?topic=29192.0



From now on, all unrelated replies and individual support requests to this thread will get deleted without further notice, the posters will be banned for a week >:(.
Logged
Pages: 1 [2]   Go Up
 

Page created in 0.016 seconds with 21 queries.