Coppermine 1.4.14 - Security release.
The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. It is important that all users who run version cpg1.4.13 or older update to this latest version as soon as possible.
To correct the security issue manually, you can apply the fixes mentioned below. Please note that applying the manual fixes will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.14 as well.Manual fix
To manually fix the vulnerability, edit displayecard.php, find
foreach($data as $key => $value) $data[$key] = html_entity_decode(strtr($value, $HTML_SUBST));
and replace with
foreach($data as $key => $value) $data[$key] = strtr($value, $HTML_SUBST);The following issues have been addressed in this release (changelog excerpt):How to update
To update any version of Coppermine to version 1.4.14, download
the latest version from the download page
and follow the upgrade steps in the documentation
If you have problems with this update, please use the Update support board
. Do not post your issues to this announcement thread - they will be deleted without notice.
Our thanks go to Nicolas Le Gland who reported the vulnerabilities and gave us the opportunity to prepare this release.
Joachim Müller (aka GauGau)
- Coppermine project manager -