forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Αndré on April 30, 2009, 08:29:58 am

Title: cpg1.4.22 Security release - upgrade mandatory!
Post by: Αndré on April 30, 2009, 08:29:58 am

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.21 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.22 should update immediately by downloading (http://downloads.sourceforge.net/coppermine/cpg1.4.22.zip) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/docs/index.htm#upgrade). 
For those who want to apply the vulnerability fix manually to their Coppermine installation, open docs/showdoc.php and replace:

Code: [Select]

// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);with the following lines:

Code: [Select]

// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);
$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.22 released?
The release covers a recently discovered vulnerability that allows (if unpatched) a user to launch an XSS attack (http://en.wikipedia.org/wiki/Cross-site_scripting) (thread (http://forum.coppermine-gallery.net/index.php/topic,59237.0.html)).

Additionally, cpg1.4.22 includes fixes for the following non-security related issues:

• Fixed improper ban expirations due to time offset being incorrectly applied (thread (http://forum.coppermine-gallery.net/index.php/topic,55464.0.html))
• Increased maxlength for password field in user manager from 8 to 25 to match the limits elsewhere

Thanks to Gerendi Sandor Attila (http://forum.coppermine-gallery.net/index.php?action=profile;u=66021) who discovered the vulnerability and Nibbler (http://forum.coppermine-gallery.net/index.php?action=profile;u=941) for coming up with the fix.


Thanks,
The Coppermine Team

Title: Re: cpg1.4.22 Security release - upgrade mandatory!
Post by: François Keller on May 01, 2009, 06:40:09 pm

French translation and announcements here http://forum.coppermine-gallery.net/index.php/topic,59271.0.html (http://forum.coppermine-gallery.net/index.php/topic,59271.0.html)