Coppermine 1.4.13 - Security release.The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. It is important that all users who run version cpg1.4.12 or older update to this latest version as soon as possible.
To correct the security issue manually, you can apply the fixes mentioned below. Please note that applying the manual fixes will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.13 as well.
Manual fixes (not recommended):
To manually fix the vulnerability, edit include/init.inc.php, find
/**
* CPGPluginAPI::action('page_start',null)
and add
before it (into a new line)
// If referer is set in URL and it contains 'http' or 'script' texts then set it to 'index.php' script
if (isset($_GET['referer'])) {
if (preg_match('/((\%3C)|<)[^\n]+((\%3E)|>)|(.*http.*)|(.*script.*)/i', $_GET['referer'])) {
$_GET['referer'] = 'index.php';
}
}
Edit viewlog.php, find
if (!isset($log)) {
display_log_list();
} else {
display_log($log);
}
and replace with
// If log variable not set or log file's directory is not current directory then display logs list else display log with given name stripping risky characters from it
if (!isset($log) || dirname($log) != '.') {
display_log_list();
} else {
display_log(ereg_replace('\.|/|%00', '', $log));
}
The following issues have been addressed in this release (changelog excerpt):- 2007-09-14 Release of cpg1.4.13 {GauGau}
- 2007-09-13 Updated documentation with reference to release announcement thread {GauGau}
- 2007-09-08 Upgraded version numbers to prepare for release {GauGau}
- 2007-09-08 Removed SEF_URL plugin from standard package as it is known to cause issues. Plugin can be downloaded separately instead from http://forum.coppermine-gallery.net/index.php?topic=46718.0 {GauGau}
- 2007-09-05 Added code to remove risky characters in log file name in URL and to check if given log file name's directory is current directory or not to fix second vulnerability reported by L4teral (thread ID 46623) {Amit}
- 2007-09-05 If 'http' or 'script' is set in referer then referer will be set to 'index.php' - first vulnerability reported by L4teral (thread ID 46623) {Amit}
- 2007-09-04 Added preliminary (beta) bridge for SMF 2.x (user contribution) {GauGau}
- 2007-08-25 Removed config option "Display album description" that hasn't been implemented yet {GauGau}
- 2007-08-25 Removed byte order mark for some language files {GauGau}
- 2007-08-24 Back-ported some of the documentation improvements for the next coppermine version to cpg1.4.x {GauGau}
- 2007-08-24 Added section to documentation that is meant to explain the need for upgrading {GauGau}
- 2007-08-18 XHTML ampersand fix in clickable keywords {Nibbler}
- 2007-08-18 Fixing conditional call to process_smilies() in report file {Nibbler}
- 2007-08-18 Quota check only applies to uploads to user galleries {Nibbler}
- 2007-08-18 Avoid redirecting users to the logout page after logging in {Nibbler}
- 2007-08-18 Fixed sending of duplicate forgot password emails {Nibbler}
- 2007-08-16 Updated license reference from GNU GPL v2 to GNU GPL v3 {GauGau}
- 2007-08-16 Added Romanian language file (user contribution) {GauGau}
- 2007-08-14 Added Catalan language file (user contribution) {GauGau}
- 2007-07-27 Added missing curly brackets to various default theme definitions {GauGau}
- 2007-07-27 Fixing issue creating new user with mysql strict mode {Nibbler}
- 2007-07-26 Added missing curly brackets to user admin menu default definition {GauGau}
- 2007-07-18 Added Macedonian language file (partial translation, user contribution) {GauGau}
- 2007-07-04 Fixed improper fix for double quotes for comment input fields (thread ID 40423) {GauGau}
- 2007-07-04 Updated version count from cpg1.4.12 to cpg1.4.13 in subversion repository as a preparation for a possible future release {GauGau}
How to update:
To update any version of Coppermine to version 1.4.13,
download the latest version from the
download page and follow
the upgrade steps in the documentation.
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Our thanks go to L4teral who reported the vulnerabilities and gave us the opportunity to prepare this release.
Joachim Müller (aka GauGau)
- Coppermine project manager -
