forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Αndré on March 29, 2012, 02:20:35 pm

Title: cpg1.5.20 Security release - upgrade mandatory!
Post by: Αndré on March 29, 2012, 02:20:35 pm
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.18 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.5.20 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.20.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://documentation.coppermine-gallery.net/en/upgrading.htm).

Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=90.0). Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.5.20 released?
The release covers several path disclosure vulnerabilities. If unpatched, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information.
Furthermore, the release covers a recently discovered XSS vulnerability that allows (if unpatched) a malevolent visitor to include own script routines under certain conditions.

Additionally, cpg1.5.20 includes fixes for the following non-security related issues:

Thanks to Janek Vind (http://forum.coppermine-gallery.net/index.php?action=profile;u=50977) for discovering the vulnerability.


The Coppermine Team
Title: Re: cpg1.5.20 Security release - upgrade mandatory!
Post by: PLEG54 on March 29, 2012, 07:31:08 pm
Hello André,

there is a mistake into the file /include/picmgmt.inc.php at line 18 :
not "iif (!defined('IN_COPPERMINE')) die('Not in Coppermine...');"
but "if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');"

Best regards,
PLEG54
Title: Re: cpg1.5.20 Security release - upgrade mandatory!
Post by: Αndré on March 29, 2012, 08:57:27 pm
What an annoying typo :o I'll fix it and update the package accordingly. Package updated.

Thanks for the report.