Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Security release cpg1.4.10 - upgrade mandatory  (Read 113375 times)

0 Members and 1 Guest are viewing this topic.

Nibbler

  • Guest
Security release cpg1.4.10 - upgrade mandatory
« on: October 29, 2006, 11:59:58 pm »

Coppermine 1.4.10 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently announced vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to picmgr.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully.

Find

Code: [Select]
$aid = isset($_GET['aid']) ? ($_GET['aid']) : 0;
Change to

Code: [Select]
$aid = isset($_GET['aid']) ? (int) $_GET['aid'] : 0;

This issue does not affect versions of Coppermine prior to 1.4, however we encourage all users to update to this latest version.


The following issues have been addressed in this release:

  • Removal of SQL injection vulnerability (as mentioned above)
  • Removal of unused file include/exifReader.inc.php
  • Addition of missing checks for email address validity and duplicate email addresses in profile page.
  • Some minor MySQL5 issues
  • Pictures awaiting approval are no longer found using the search feature.
  • Corrected some issues with html entities appearing in emails
  • Corrected flaw in search logic
  • Added Indonesian language file (user contribution)
  • Updated Brazilian language file (user contribution)
  • Pagination issues corrrected
  • Fix for video playback in IE


To update any version of Coppermine to version 1.4.10, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.


Nibbler.
Coppermine Dev Team.
« Last Edit: October 30, 2006, 02:39:11 am by Paver »
Logged

alexyo

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
Re: Security release cpg1.4.10 - upgrade mandatory
« Reply #1 on: March 03, 2007, 12:08:42 pm »

hi guys
You have a terrific tool
Why not replace only the picmgr.php file from one version to the other ?
regards
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security release cpg1.4.10 - upgrade mandatory
« Reply #2 on: March 03, 2007, 06:52:54 pm »

because other things have been addresses as well, as suggested in the announcement!
Logged

web123

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: Security release cpg1.4.10 - upgrade mandatory
« Reply #3 on: June 04, 2007, 03:30:50 am »

I am using ver 1.3 and cannot see the picmgr.php file.

The gallery keeps getting hacked and the web host keeps shutting it down. What should I do? If I upgrade to the newer version, does it remove all the existing images and settings etc?

This has been one big headache!
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Security release cpg1.4.10 - upgrade mandatory
« Reply #4 on: June 04, 2007, 03:49:06 am »

Upgrading does not affect images, and it shouldn't adversely affect core settings. It definitely does not reset the settings to default. You should still do a backup of files and database before the upgrade as a precaution.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Security release cpg1.4.10 - upgrade mandatory
« Reply #5 on: June 04, 2007, 09:58:13 am »

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Any particular reason for not reading this thread and doing as suggested? Don't force us to lock announcement threads. Stay out of this thread!
Logged
Pages: [1]   Go Up
 

Page created in 0.029 seconds with 20 queries.