Coppermine 1.4.10 - Security release.
The development team is releasing a security update for Coppermine in order to counter a recently announced vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.
To correct the security issue manually, you can apply a fix to picmgr.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully.
Find
$aid = isset($_GET['aid']) ? ($_GET['aid']) : 0;
Change to
$aid = isset($_GET['aid']) ? (int) $_GET['aid'] : 0;
This issue does not affect versions of Coppermine prior to 1.4, however we encourage all users to update to this latest version.
The following issues have been addressed in this release:
- Removal of SQL injection vulnerability (as mentioned above)
- Removal of unused file include/exifReader.inc.php
- Addition of missing checks for email address validity and duplicate email addresses in profile page.
- Some minor MySQL5 issues
- Pictures awaiting approval are no longer found using the search feature.
- Corrected some issues with html entities appearing in emails
- Corrected flaw in search logic
- Added Indonesian language file (user contribution)
- Updated Brazilian language file (user contribution)
- Pagination issues corrrected
- Fix for video playback in IE
To update any version of Coppermine to version 1.4.10,
download the latest version from the download page and follow the
upgrade steps in the documentation.
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Nibbler.
Coppermine Dev Team.