Print

[Fred_Brown]

I think Coppermine is great software! Luckily, our ISP had an Fantistico installation which made version 1.3.2 a breeze to install. However, when I saw the issue with IP spoofing and XSS vulnerability, my only option was to try a manual upgrade. How hard could it be? I'd done it before with a live website support php/mysql software and it was a breeze. With their software, I just followed the easy instructions; renamed the folder containing the orginal version software on the server, uploaded the new version into its own folder and then rename that folder to the orginal folder name. I then browsed to a setup.php and followed their web based instructions. If I forgot to set a permission or didn't have a variable right, I got prompted to fix it. When I finished the install, it detected and informed me of cleanup operations.

However, it's been so frustrating trying to upgrade Coppermine that I've decide not to do the upgrade and just add the code for IP spoofing and XSS vulnerability. Why in heaven's name would Coppermine be setup to upload over another folder/dir and at the same time have instructions to omit writing over certain files or folders within that folder? Coppermine has a convaluted upgrade proceedure, and the upgrade instructions not completely clear. I pity those who are actually trying to go from 1.0 to 1.33.

This is a great software, as I'm sure most visiting this board will agree. I hope the creators figure out a more intuitive upgrader in future releases. In my experience, the hardest thing to do is to make things simple for the end user.

[Joachim Müller]

OK, here are easier instructions:

• Backup all files
• Overwrite all files on the server with those that come with the package
• Point your browser to http://yoursite.tld/your_coppermine_folder/update.php

This will work for 99% of all installs that are "out-of-the-box" and have only custom modifications applied as suggested in the docs. The "more complicated" instructions in the docs are for those who have applied mods/hacks/custom themes etc. If anything goes wrong during the upgrade, you can savely go back just writing back the backup files you created in step 1.
There's a thread that explains what to do if you're reluctant to do the full upgrade and that will tell you what exactly to do if you only want to fix the particular vulnerability mentioned in your posting.
For further help, post what exactly went wrong when you upgraded, I'm sure we can work out any issues you have.

[amarand]

So what if I try to upgrade using the following technique (no mods, from CPG132 to 134) and when I hit the upgrade.php I get a blank, grey screen?  I was able to back-out to my original back-up files but...I still haven't been able to update using this simpler technique listed above. What's the approved/best way to upgrade?  Also, I have a lot of batch added files under the albums directory, and I'm worrying that the upgrade process won't handle those properly.

Thanks!

[Nibbler]

There is no such file as upgrade.php. The approved way to upgrade is that described in the documentation. Your existing pics and other gallery content is perfectly safe and won't be touched. Please post a link to your site.

[amarand]

Oops!  I was copying the cpg distribution cleanly into the directory (I meant update.php, by the way!) and when I overlay the new cpg files into the old cpg directory (having made a backup first), that seems to work.  As an aside (an easy question!) how can I tell authoritatively which version of Coppermine the site is actually running?  (Is there an"About" page or something?)  Thanks for the rapid response!

[Nibbler]

The version number is displayed on the config page, and in an HTML comment in the page footer.

[amarand]

Ahhh...putting it at the end sure does make it easy to see.  1.3.4...thank you!