Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: cpg1.4.23 Security release - upgrade mandatory!  (Read 67549 times)

0 Members and 1 Guest are viewing this topic.

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4885
    • Windsurf.me
cpg1.4.23 Security release - upgrade mandatory!
« on: May 19, 2009, 11:57:31 pm »

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.22 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.23 should update immediately by downloading the latest version from the download page and following the upgrade steps in the documentation.

For those who want to apply the vulnerability fix manually (not recommended, this will fix the security issue only) to their Coppermine installation, the following files have been modified.

Open - ./include/init.inc.php

Find

Code: [Select]
if (ini_get('register_globals') == '1' || strtolower(ini_get('register_globals')) == 'on') {
    $register_globals_flag = true;
} else {
    $register_globals_flag = false;
}

and below it add


Code: [Select]
if (is_array($GLOBALS)) {
        foreach ($GLOBALS as $key => $value) {
                if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
        }
}

Open - ./db_input.php

Find

Code: [Select]
$password = $_POST['alb_password'];
and replace with

Code: [Select]
$password = addslashes($_POST['alb_password']);
Finally open ./displayecard.php

Find and remove completely the following.

Code: [Select]
// attempt to obtain full link from db if ecard logging enabled and min 12 chars of data is provided and only 1 match
if ((!is_array($data)) && $CONFIG['log_ecards'] && (strlen($_GET['data']) > 12)) {
        $result = cpg_db_query("SELECT link FROM {$CONFIG['TABLE_ECARDS']} WHERE link LIKE '{$_GET['data']}%'");
        if (mysql_num_rows($result) === 1) {
                $row = mysql_fetch_assoc($result);
                $data = @unserialize(@base64_decode($row['link']));
        }
}


Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.23 released?
The release covers a recently discovered vulnerability that allows (if unpatched) a user to launch an SQL Injection (thread).

Additionally, cpg1.4.23 includes fixes for the following non-security related issues:
  • Add PHP 5.3 support to debugger
  • Added a warning message for admin if register_globals is on
  • Updated Italian language file (user contribution)

Thanks to Nibbler for coming up with the fix, and thanks to breath for informing us of the problem. Finally, thanks to girex for discovering the vulnerability and letting the public know.


Thanks,
The Coppermine Team
« Last Edit: May 22, 2009, 02:10:39 pm by eenemeenemuu »
Logged
It is a mistake to think you can solve any major problems just with potatoes.

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #1 on: May 21, 2009, 10:10:16 pm »

Announcement thread in french
Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog

JustHer

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #2 on: May 22, 2009, 04:07:53 pm »

Download link isn't working for me...  ???
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #3 on: May 22, 2009, 04:10:50 pm »

It's because sourceforge.net isn't currently available. Please try again later.
Logged

JustHer

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #4 on: May 22, 2009, 04:16:30 pm »

Ah okay, thanks! :) My galleries were all hacked, so I'm just eager to have it upgraded.

Cheers :)
Logged

JPiacentino

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #5 on: May 22, 2009, 04:33:49 pm »

Just tried to upgrade. Made it through the DB update stage, then it appears I am locked out.
Tried it twice. Then went back to 1.4.22 and all is working.

Never had this problem before.

What should I look for?

Joe P., Jr.
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #6 on: May 22, 2009, 05:53:59 pm »

What should I look for?
Board rules in first place: Don't clutter announcement threads



Locking.
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: cpg1.4.23 Security release - upgrade mandatory!
« Reply #7 on: May 23, 2009, 04:27:56 pm »

What should I look for?
In fact, you should read the thread you're replying to:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.
Not reading the thread you're replying to just shows others that you're a lazy person. It gets less likely that supporters are willing to look into your issues. Why on earth does each and every announcement thread have to be locked because of silly people like you?
Logged
Pages: [1]   Go Up
 

Page created in 0.043 seconds with 19 queries.