Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory  (Read 89509 times)

0 Members and 2 Guests are viewing this topic.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de

Coppermine 1.4.11 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered mySQL vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to include/functions.inc.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.11 as well.

To manually fix the vulnerability, edit include/functions.inc.php (using a plain-text editor), find
Code: [Select]
           $aid_str = implode(",",array_keys($alb_pw));and replace with
Code: [Select]
          foreach($alb_pw as $aid => $value) {
            $aid_str .= (int)$aid . ",";
          }

          $aid_str = substr($aid_str, 0, -1);

The following issues have been addressed in this release:
  • 2007-06-28 Fixed a vulnerability where SQL injection was possible with array indices of album password cookie {Abbas}
  • 2007-03-30 Renamed default cookie name to version-independant name to avoid confusion for beginners {GauGau}
  • 2007-03-26 Added German version of the FAQ (user contribution, work in progress) {GauGau}
  • 2007-01-29 Correcting links {Nibbler}
  • 2007-01-24 Added Lithuanian translation (user contribution) {GauGau}
  • 2007-01-15 Added Arabic translation (user contribution) {GauGau}
  • 2007-01-14 Fixed situation in plugin api that caused bizarre plugin behavior when plugins called underlying plugin api hooks {Donnoman}
  • 2007-01-08 Fixed the vulnerability mentioned in topic 39943, though only admins could have exploited that. {Abbas}
  • 2006-12-28 Fixed garbage collection deleting special file "no_FTP-uploads_into_this_folder!" inside edit folder {GauGau}
  • 2006-12-28 Fixed bug in search by keyword {GauGau}
  • 2006-12-27 Updated copyright date {GauGau}
  • 2006-12-27 Small fix in background image of sub menu for project_vii {GauGau}
  • 2006-12-27 Updated zipdownload with more recent library to enable zip downloads for mac users {GauGau}
  • 2006-12-13 Fixed visibility of upload link for users disallowed public uploads, but allowed personal galleries {GauGau}
  • 2006-12-11 Replaced HTML entities with actual characters in Danish language file {GauGau}
  • 2006-12-06 Avoid attempting to send emails to admins who have no email address in profile. {Nibbler}
  • 2006-11-28 Added Hindi language file (user contribution) {GauGau}
  • 2006-11-27 Fixing redirect to file after new upload while bridged. {Nibbler}
  • 2006-11-17 Updated code in FAQ entry {Nibbler}
  • 2006-11-12 Fixed plugin api sleep and wake actions to be scoped correctly. {Donnoman}
  • 2006-11-09 Fixed display of hit stats link on displayimage {Nibbler}
  • 2006-11-09 Added Thai language (user contribution) {GauGau}

To update any version of Coppermine to version 1.4.11, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Joachim Müller (aka GauGau)
- Coppermine project manager -

tranzndance - update 2007-06-29: changed
Code: [Select]
$aid_str = (int)$aid . ","; to
Code: [Select]
$aid_str .= (int)$aid . ",";
« Last Edit: July 02, 2007, 06:09:35 pm by GauGau »
Logged

Makc666

  • Translator
  • Coppermine addict
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 1614
  • Русский (ISO-8859-1) - Russian - Ðóññêèé (Windows)
    • Makc's home page
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #1 on: June 29, 2007, 01:10:16 pm »

All old versions/archives were packed this way:
Archive name: cpg1.4.8.zip -> Folder name inside: cpg148
Archive name: cpg1.4.9.zip -> Folder name inside: cpg149
Archive name: cpg1.4.10.zip -> Folder name inside: cpg1410

The new one is packed as:
Archive name: cpg1.4.11.zip -> Folder name inside: cpg1.4.11

I accustomed to old folder name inside.
Logged

luchtzak

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 36
    • Luchtzak Aviation
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #2 on: June 29, 2007, 11:11:52 pm »

Thanks for the update!

Makc666

  • Translator
  • Coppermine addict
  • **
  • Offline Offline
  • Gender: Male
  • Posts: 1614
  • Русский (ISO-8859-1) - Russian - Ðóññêèé (Windows)
    • Makc's home page
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #3 on: June 30, 2007, 11:41:18 pm »

tranzndance - update 2007-06-29: changed
Code: [Select]
$aid_str = (int)$aid . ","; to
Code: [Select]
$aid_str .= (int)$aid . ",";
This was a misprint in GauGau's post?
Or there were also an "error" in 1.4.11 archive and it was updated?
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #4 on: July 01, 2007, 12:06:08 am »

It wasn't a typo on GauGau's part. It was the code at the time that he posted the message. This was discussed in a dev-only thread and the latter one was the correct version, and is also the one in the archive.
Logged

Nibbler

  • Guest
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #5 on: July 01, 2007, 12:22:07 am »

The archive contains the incorrect version since it was released prior to the fix being agreed upon by the dev team. If you have multiple password protected albums in your gallery then you need to fix the code in your copy by making the additional code change in TranzNDance's edit, ie.

Code: [Select]
$aid_str = (int)$aid . ","; to
Code: [Select]
$aid_str .= (int)$aid . ",";
Logged

Tranz

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Female
  • Posts: 6149
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #6 on: July 01, 2007, 12:35:24 am »

Oh, sorry for the confusion. I did my upgrade through svn so I had the correct version and figured that was in the archive.
Logged

isajade

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Female
  • Posts: 67
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #7 on: July 02, 2007, 05:48:20 pm »

Does the archive contain the correct version now? Thank you.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Maintenance release cpg1.4.11 (security issue) - upgrade mandatory
« Reply #8 on: July 02, 2007, 05:55:53 pm »

No - once a package is released, the files within the archived don't get changed, even if they contain a bug. I'm currently packaging a new version, please stand by. Locking this thread now.
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 20 queries.