No Support > Announcements

cpg1.3.3 released - upgrade strongly recommended

(1/7) > >>

Joachim Müller:
The coppermine team has released a maintenance version of coppermine v1.3: cpg1.3.3 is the most recent stable version that is strongly recommended to be used. We originally planned to release cpg1.4.x pretty soon, but we were forced to publish the maintenance release first, because possible security issues that relate to cpg1.3.0, cpg1.3.1 and cpg1.3.2 have been discovered:
[*]Possible IP spoofing and XSS vulnerability as posted on Bugtraq: Vulnerability in Coppermine Photo Gallery 1.3.
[*](non-critical) mySQL injection issue
[/list]

Coppermine 1.3.3 fixes other minor issues as well - as usual, it's the best coppermine version we could think of - it's recommended to use in production environments.

There are instructions included in the package (in the docs folder) how to upgrade existing installs as well as fresh install instructions - please read the documentation carefully.

Download cpg1.3.3

Joachim

Nibbler:
For those wishing to fix the XSS security issue without making a full update, here is the change that is required:

file: include/init.inc.php

find:


--- Code: ---// Record User's IP address
$raw_ip = stripslashes($HTTP_SERVER_VARS['REMOTE_ADDR']);

if (isset($HTTP_SERVER_VARS['HTTP_CLIENT_IP'])) {
    $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_CLIENT_IP']);
} else {
    if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
        $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
    } else {
        $hdr_ip = $raw_ip;
    }
}

--- End code ---

and add after it, the following 2 new lines:


--- Code: ---if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $raw_ip)) $raw_ip = '0.0.0.0';
if (!preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $hdr_ip)) $hdr_ip = '0.0.0.0';

--- End code ---


Please note that a full update is preferable where possible as other issues are also addressed in this update.

Thankyou.

flog:
Thank you very much for this important message

Titooy:
Maybe you should change "Latest downloads ::." on the home page. It still points to cpg1.3.2

SaigonK:
What other fixes are there?

Navigation

[0] Message Index

[#] Next page

Go to full version