Support => Older/other versions => cpg1.3.x Support => Topic started by: Paver on June 11, 2006, 07:00:56 am

Title: HOTFIX for Apache's RAR/PHP Vulnerability - IMPORTANT!
Post by: Paver on June 11, 2006, 07:00:56 am
There is a very serious vulnerability in the Apache webserver that is actually a "feature" which can be helpful for some people, but can also expose many people to a security breach, the current one being the "Apache RAR Exploit".  Your Coppermine gallery and any other PHP applications that allow uploads are open to abuse unless each application addresses this vulnerability/feature of Apache's processing of PHP files.

Read more about it here:
Coppermine-driven galleries hit by RAR exploit (

Coppermine 1.4.6 was the first release to address this, and versions after this include the fix as well:
Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability (

You are strongly recommended to upgrade to the current version, as of this writing, 1.4.8.  We remind you that support for the 1.3.x series is running out (  Upgrading is clearly detailed in the documentation (, along with upgrading any custom 1.3 themes (  Most of the popular 1.3 themes have been converted to the 1.4 theme system.  In addition, the new plugin system in 1.4 allows added features to the Coppermine core *without* hacking the scripts as was necessary in the 1.3.x series.  Many plugins are being written and are starting to replace popular hacks/mods.

Please consider performing an upgrade to your 1.3 gallery soon!

Unless you upgrade immediately, you are strongly recommended to apply the following hotfix to your 1.3 gallery to remove the exposure of your gallery to the currently popular "RAR Exploit", which allows someone to inject code into your site and do lots of nasty things.

Attached to this post is a ZIP file containing the hotfix.  Read the file "HOTFIX_readme.txt" and follow the instructions.  If you have questions or problems, reply to this post.