Coppermine 1.4.11 - Security release.
The development team is releasing a security update for Coppermine in order to counter a recently discovered mySQL vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.
To correct the security issue manually, you can apply a fix to include/functions.inc.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.11 as well.
To manually fix the vulnerability, edit include/functions.inc.php (using a plain-text editor), find
$aid_str = implode(",",array_keys($alb_pw));
and replace with
foreach($alb_pw as $aid => $value) {
$aid_str .= (int)$aid . ",";
}
$aid_str = substr($aid_str, 0, -1);
The following issues have been addressed in this release:
- 2007-06-28 Fixed a vulnerability where SQL injection was possible with array indices of album password cookie {Abbas}
- 2007-03-30 Renamed default cookie name to version-independant name to avoid confusion for beginners {GauGau}
- 2007-03-26 Added German version of the FAQ (user contribution, work in progress) {GauGau}
- 2007-01-29 Correcting links {Nibbler}
- 2007-01-24 Added Lithuanian translation (user contribution) {GauGau}
- 2007-01-15 Added Arabic translation (user contribution) {GauGau}
- 2007-01-14 Fixed situation in plugin api that caused bizarre plugin behavior when plugins called underlying plugin api hooks {Donnoman}
- 2007-01-08 Fixed the vulnerability mentioned in topic 39943, though only admins could have exploited that. {Abbas}
- 2006-12-28 Fixed garbage collection deleting special file "no_FTP-uploads_into_this_folder!" inside edit folder {GauGau}
- 2006-12-28 Fixed bug in search by keyword {GauGau}
- 2006-12-27 Updated copyright date {GauGau}
- 2006-12-27 Small fix in background image of sub menu for project_vii {GauGau}
- 2006-12-27 Updated zipdownload with more recent library to enable zip downloads for mac users {GauGau}
- 2006-12-13 Fixed visibility of upload link for users disallowed public uploads, but allowed personal galleries {GauGau}
- 2006-12-11 Replaced HTML entities with actual characters in Danish language file {GauGau}
- 2006-12-06 Avoid attempting to send emails to admins who have no email address in profile. {Nibbler}
- 2006-11-28 Added Hindi language file (user contribution) {GauGau}
- 2006-11-27 Fixing redirect to file after new upload while bridged. {Nibbler}
- 2006-11-17 Updated code in FAQ entry {Nibbler}
- 2006-11-12 Fixed plugin api sleep and wake actions to be scoped correctly. {Donnoman}
- 2006-11-09 Fixed display of hit stats link on displayimage {Nibbler}
- 2006-11-09 Added Thai language (user contribution) {GauGau}
To update any version of Coppermine to version 1.4.11,
download the latest version from the
download page and follow the
upgrade steps in the documentation.
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Joachim Müller (aka GauGau)
- Coppermine project manager -
tranzndance - update 2007-06-29: changed
$aid_str = (int)$aid . ",";
to
$aid_str .= (int)$aid . ",";