Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: cpg1.4.22 Security release - upgrade mandatory!  (Read 59769 times)

0 Members and 1 Guest are viewing this topic.

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
cpg1.4.22 Security release - upgrade mandatory!
« on: April 30, 2009, 08:29:58 am »

The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.21 or older update to this latest version as soon as possible.

How to update:
Users running versions prior to 1.4.22 should update immediately by downloading the latest version from the download page and following the upgrade steps in the documentation
For those who want to apply the vulnerability fix manually to their Coppermine installation, open docs/showdoc.php and replace:
Code: [Select]
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);
with the following lines:
Code: [Select]
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);
$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.

Why was cpg1.4.22 released?
The release covers a recently discovered vulnerability that allows (if unpatched) a user to launch an XSS attack (thread).

Additionally, cpg1.4.22 includes fixes for the following non-security related issues:
  • Fixed improper ban expirations due to time offset being incorrectly applied (thread)
  • Increased maxlength for password field in user manager from 8 to 25 to match the limits elsewhere

Thanks to Gerendi Sandor Attila who discovered the vulnerability and Nibbler for coming up with the fix.


Thanks,
The Coppermine Team
« Last Edit: April 30, 2009, 09:56:42 am by eenemeenemuu »
Logged

François Keller

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: fr
  • Offline Offline
  • Gender: Male
  • Posts: 9094
  • aka Frantz
    • Ma galerie
Re: cpg1.4.22 Security release - upgrade mandatory!
« Reply #1 on: May 01, 2009, 06:40:09 pm »

Logged
Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 19 queries.