Print

[Nibbler]

Coppermine 1.4.10 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently announced vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to picmgr.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully.

Find

Code: [Select]

$aid = isset($_GET['aid']) ? ($_GET['aid']) : 0;
Change to

Code: [Select]

$aid = isset($_GET['aid']) ? (int) $_GET['aid'] : 0;

This issue does not affect versions of Coppermine prior to 1.4, however we encourage all users to update to this latest version.


The following issues have been addressed in this release:

• Removal of SQL injection vulnerability (as mentioned above)
• Removal of unused file include/exifReader.inc.php
• Addition of missing checks for email address validity and duplicate email addresses in profile page.
• Some minor MySQL5 issues
• Pictures awaiting approval are no longer found using the search feature.
• Corrected some issues with html entities appearing in emails
• Corrected flaw in search logic
• Added Indonesian language file (user contribution)
• Updated Brazilian language file (user contribution)
• Pagination issues corrrected
• Fix for video playback in IE

To update any version of Coppermine to version 1.4.10, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.


Nibbler.
Coppermine Dev Team.

[alexyo]

hi guys
You have a terrific tool
Why not replace only the picmgr.php file from one version to the other ?
regards

[Joachim Müller]

because other things have been addresses as well, as suggested in the announcement!

[web123]

I am using ver 1.3 and cannot see the picmgr.php file.

The gallery keeps getting hacked and the web host keeps shutting it down. What should I do? If I upgrade to the newer version, does it remove all the existing images and settings etc?

This has been one big headache!

[TranzNDance]

Upgrading does not affect images, and it shouldn't adversely affect core settings. It definitely does not reset the settings to default. You should still do a backup of files and database before the upgrade as a precaution.

[Joachim Müller]

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Any particular reason for not reading this thread and doing as suggested? Don't force us to lock announcement threads. Stay out of this thread!