Advanced search  

News:

cpg1.5.42 maintenance release - upgrade recommended
The Coppermine development team is releasing an update for Coppermine in order to fix several minor issues. All fixes are not security critical, so if your gallery is running fine with cpg1.5.36, cpg1.5.38 or cpg1.5.40 you don't need to upgrade. If you are running an older version than cpg1.5.36, you must update to this latest version as soon as possible because of the security impact!
[more]

Pages: [1]   Go Down

Author Topic: cpg1.4.17 Security release - upgrade absolutely mandatory!  (Read 61504 times)

0 Members and 1 Guest are viewing this topic.

SaWey

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1119
    • SaWey.be
cpg1.4.17 Security release - upgrade absolutely mandatory!
« on: April 11, 2008, 12:17:55 AM »

The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.16 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply the fix mentioned below. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.17 as well.

Manual fix (not recommended):
To manually fix the vulnerability, edit upload.php, find
Code: [Select]
                } else {
                    // We will try to get the extension from the database.
                    $MIME_result = cpg_db_query("SELECT extension FROM {$CONFIG['TABLE_FILETYPES']} WHERE mime='$URI_MIME_type'");

                    // Check to see if any results were returned.
                    if (!mysql_num_rows($MIME_result)) {

                        // No results, so free up the resources.
                        mysql_free_result($MIME_result);

                        // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                        $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);

                        // There is no need for further tests or action, so skip the remainder of the iteration.
                        continue;

                    } else {

                        // The was a result. Fetch it.
                        $extension_data = mysql_fetch_array($MIME_result);

                        // Release the resources.
                        mysql_free_result($MIME_result);

                        // Store the extension in $extension.
                        $extension = $extension_data['extension'];
                    }

                }

and replace with
Code: [Select]
                } else {
               
                $extension = '';
               
                foreach ($FILE_TYPES as $ext => $typedata){
               
                if ($typedata['mime'] == $URI_MIME_type){
                // Store the extension in $extension.
                $extension = $ext;
                break;
                }
               
                }
               
                if (!$extension){
               
                // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);
 
                // There is no need for further tests or action, so skip the remainder of the iteration.
                continue;
             
                }

                }


The following issues have been addressed in this release (changelog excerpt):
  • 2008-04-10 Release of cpg1.4.17 {GauGau}
  • 2008-04-10 Corrected an SQL injection vulnerability in URI upload code {Nibbler}
  • 2008-03-19 Added Welsh language file (user contribution) {Nibbler}
  • 2008-03-02 Updated version count from cpg1.4.16 to cpg1.4.17 in subversion repository as a preparation for a possible future release {GauGau}
  • 2008-02-29 Changed date formats in lang files for better windows compatibility {Nibbler}
  • 2008-02-12 Updated Romanian language file (user contribution) {GauGau}
  • 2008-02-07 Added Latvian language file (user contribution) {GauGau}
  • 2008-02-04 ImageMagick rotate bug fix {Nibbler}

How to update:
To update any version of Coppermine to version 1.4.17, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

[UPDATE]

cpg1.4.17 is now outdated. Please upgrade to cpg1.4.18

[/UPDATE]

Thanks,
The Coppermine Team
« Last Edit: April 19, 2008, 11:02:10 AM by Abbas Ali »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: cpg1.4.17 Security release - upgrade absolutely mandatory!
« Reply #1 on: April 11, 2008, 06:50:06 PM »

There already is an exploit in the wild that is using the vulnerabilites fixed in this release. It is absolutely mandatory that every coppermine user who is running an unpatched version (cpg1.4.16 or older) upgrades immediately. Don't postpone the upgrade - perform it now!

Do not reply to this announcement thread asking questions how to sanitize your gallery if you have already been infected.

There is a lengthy thread "Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?" that shows that there are already a lot of infected galleries. I will try to come up with instructions there one how to clean an infected site, but don't expect this to be easy. You better upgrade now instead of being hacked.

Joachim Müller
- coppermine project manager -
Logged

Asbestos

  • Coppermine newbie
  • Offline Offline
  • Posts: 2
  • SEO
Re: cpg1.4.17 Security release - upgrade absolutely mandatory!
« Reply #2 on: August 17, 2008, 06:58:45 AM »

thanks!
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9073
  • aka Frantz
    • Ma galerie
Re: cpg1.4.17 Security release - upgrade absolutely mandatory!
« Reply #3 on: August 17, 2008, 08:14:01 AM »

thanks!
Asbetos, the actual version is 1.4.19 !
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog
Pages: [1]   Go Up
 

Page created in 0.077 seconds with 19 queries.