No Support > Announcements
Maintenance release: cpg1.3.5 fixes XSS vulnerability *MUST READ*
Joachim Müller:
A XSS vulnerability has been found in the language selector. Everybody who runs coppermine (any version older than cpg1.3.5) will have to apply this security fix as soon as possible.
We have released a brand new package of the stable branch (cpg1.3.x) named "cpg1.3.5" that contains the above mentioned fix, plus some fixes of minor issues:
Download cpg1.3.5.
The vulnerability existed in the devel code (cpg1.4.x) as well, that's why users who are testing the devel version are strongly encouraged to update their version as well (doing a CVS checkout).
Experienced users who don't want to do the upgrade (because their coppermine install is heavily modified) can apply the fix manually as well (instead of doing the recommended upgrade to cpg1.3.5).
Instructions for manual fix:
In init.inc.php:
Replace
--- Code: ---$HTML_SUBST = array('"' => '"', '<' => '<', '>' => '>');
--- End code ---
with
--- Code: ---$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>');
--- End code ---
Replace
--- Code: ---if (is_array($HTTP_GET_VARS)) {
foreach ($HTTP_GET_VARS as $key => $value) {
$HTTP_GET_VARS[$key] = strtr(stripslashes($value), $HTML_SUBST);
if (isset($$key)) unset($$key);
}
}
--- End code ---
with
--- Code: ---if (is_array($HTTP_GET_VARS)) {
foreach ($HTTP_GET_VARS as $key => $value) {
unset($HTTP_GET_VARS[$key]);
$HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
if (isset($$key)) unset($$key);
}
}
--- End code ---
Add
--- Code: ---/**
* Sanitize $_GET also, as we have used it in many places
*/
if (is_array($_GET)) {
foreach ($_GET as $key => $value) {
unset($_GET[$key]);
$_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
if (isset($$key)) unset($$key);
}
}
--- End code ---
after
--- Code: ---if (is_array($HTTP_GET_VARS)) {
foreach ($HTTP_GET_VARS as $key => $value) {
unset($HTTP_GET_VARS[$key]);
$HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
if (isset($$key)) unset($$key);
}
}
--- End code ---
Joachim
celeritycat:
I am running version 134. Can I just extract the init.inc.php from the zip file you posted and upload it to my include folder?
I am not that comfortable adding the code myself, but I also don't want to lose the changes I have now.
Joachim Müller:
as suggested above: there are a number of other minor fixes as well, so the recommended way would be to overwrite all coppermine core files with the ones from the package - please refer to the upgrade instructions that come with the package. However, if you feel like this is too much for you, you could just replace the file include/init.inc.php to just address the particular vulerability that caused the maintenance release.
luchtzak:
Applied the update to version 1.3.5, is it possible that coppermine runs faster now. I noticed faster pageloads...
Joachim Müller:
I don't think so. There hasn't been removal or optimization of any queries or similar. Guess it's just coincidence, or it feels faster. Good to hear though that you're happy with it ;D.
Navigation
[0] Message Index
[#] Next page
Go to full version