The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.16 or older update to this latest version as soon as possible.How to update
Users running versions prior to 1.5.18 should update immediately by downloading
the latest version from the download page
and following the upgrade steps in the documentation
If you have problems with this update, please use the Update support board
. Do not post your issues to this announcement thread - your post will be deleted without notice.Why was cpg1.5.18 released?
The release covers a path disclosure vulnerability. If unpatched, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information.
Additionally, cpg1.5.18 includes fixes for the following non-security related issues:
- Added plugin hook 'upload_file_name'
- Add default values on 'onlinestats' installation to avoid weird dates right after plugin installation (thread)
- Updated Arabic language file (user contribution)
- Fixed simple upload process when users can just upload to their personal gallery (thread)
- Added upload button after each album name in album manager
- Added anchors on plugin manager
- Fixed infinite loop for delayed cookie issue workaround (thread)
- Disallow dots in cookie name (thread)
- Fixed issue with very big 'Max size for uploaded files' values (thread)
- Fixed album thumbnails for public albums in 'My gallery' view for regular users
- Fixed clickable keywords with spaces (thread)
- Fixed critical error for 'lasthits' meta album (thread)
- Fixed misleading error message when uploading files that exceed the file size limit with the simple upload form (thread)
- Added hidden feature "Create sub-directory named according to the album ID in users' upload directories during HTTP upload"
- Use selected album thumbnail for 'lastup' meta album (thread)
- Create user album in personal gallery when user is created via the user manager (thread)
- Added captcha for ecards feature (thread)
- Fixed a potential path disclosure vulnerability in core plugin configuration files
- Updated date/time formats in English (British) language file (thread)
- Updated header information to reflect new year
The Coppermine Team