Maintenance release cpg1.4.11 (security issue) - upgrade mandatory

[Joachim Müller]

Coppermine 1.4.11 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered mySQL vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to include/functions.inc.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.11 as well.

To manually fix the vulnerability, edit include/functions.inc.php (using a plain-text editor), find

Code:

           $aid_str = implode(",",array_keys($alb_pw));

and replace with

Code:

          foreach($alb_pw as $aid => $value) {
            $aid_str .= (int)$aid . ",";
          }

          $aid_str = substr($aid_str, 0, -1);

The following issues have been addressed in this release:

• 2007-06-28 Fixed a vulnerability where SQL injection was possible with array indices of album password cookie {Abbas}
• 2007-03-30 Renamed default cookie name to version-independant name to avoid confusion for beginners {GauGau}
• 2007-03-26 Added German version of the FAQ (user contribution, work in progress) {GauGau}
• 2007-01-29 Correcting links {Nibbler}
• 2007-01-24 Added Lithuanian translation (user contribution) {GauGau}
• 2007-01-15 Added Arabic translation (user contribution) {GauGau}
• 2007-01-14 Fixed situation in plugin api that caused bizarre plugin behavior when plugins called underlying plugin api hooks {Donnoman}
• 2007-01-08 Fixed the vulnerability mentioned in topic 39943, though only admins could have exploited that. {Abbas}
• 2006-12-28 Fixed garbage collection deleting special file "no_FTP-uploads_into_this_folder!" inside edit folder {GauGau}
• 2006-12-28 Fixed bug in search by keyword {GauGau}
• 2006-12-27 Updated copyright date {GauGau}
• 2006-12-27 Small fix in background image of sub menu for project_vii {GauGau}
• 2006-12-27 Updated zipdownload with more recent library to enable zip downloads for mac users {GauGau}
• 2006-12-13 Fixed visibility of upload link for users disallowed public uploads, but allowed personal galleries {GauGau}
• 2006-12-11 Replaced HTML entities with actual characters in Danish language file {GauGau}
• 2006-12-06 Avoid attempting to send emails to admins who have no email address in profile. {Nibbler}
• 2006-11-28 Added Hindi language file (user contribution) {GauGau}
• 2006-11-27 Fixing redirect to file after new upload while bridged. {Nibbler}
• 2006-11-17 Updated code in FAQ entry {Nibbler}
• 2006-11-12 Fixed plugin api sleep and wake actions to be scoped correctly. {Donnoman}
• 2006-11-09 Fixed display of hit stats link on displayimage {Nibbler}
• 2006-11-09 Added Thai language (user contribution) {GauGau}

To update any version of Coppermine to version 1.4.11, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Joachim Müller (aka GauGau)
- Coppermine project manager -

tranzndance - update 2007-06-29: changed

Code:

$aid_str = (int)$aid . ",";

to

Code:

$aid_str .= (int)$aid . ",";

[Makc666]

All old versions/archives were packed this way:
Archive name: cpg1.4.8.zip -> Folder name inside: cpg148
Archive name: cpg1.4.9.zip -> Folder name inside: cpg149
Archive name: cpg1.4.10.zip -> Folder name inside: cpg1410

The new one is packed as:
Archive name: cpg1.4.11.zip -> Folder name inside: cpg1.4.11

I accustomed to old folder name inside.

[luchtzak]

Thanks for the update!

[Makc666]

tranzndance - update 2007-06-29: changed

Code:

$aid_str = (int)$aid . ",";

to

Code:

$aid_str .= (int)$aid . ",";

This was a misprint in GauGau's post?
Or there were also an "error" in 1.4.11 archive and it was updated?

[TranzNDance]

It wasn't a typo on GauGau's part. It was the code at the time that he posted the message. This was discussed in a dev-only thread and the latter one was the correct version, and is also the one in the archive.

[Nibbler]

The archive contains the incorrect version since it was released prior to the fix being agreed upon by the dev team. If you have multiple password protected albums in your gallery then you need to fix the code in your copy by making the additional code change in TranzNDance's edit, ie.

Code:

$aid_str = (int)$aid . ",";

to

Code:

$aid_str .= (int)$aid . ",";

[TranzNDance]

Oh, sorry for the confusion. I did my upgrade through svn so I had the correct version and figured that was in the archive.

[isajade]

Does the archive contain the correct version now? Thank you.

[Joachim Müller]

No - once a package is released, the files within the archived don't get changed, even if they contain a bug. I'm currently packaging a new version, please stand by. Locking this thread now.