The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.21 or older update to this latest version as soon as possible.
How to update:
Users running versions prior to 1.4.22 should update immediately by
downloading the latest version from the
download page and following
the upgrade steps in the documentation.
For those who want to apply the vulnerability fix manually to their Coppermine installation, open
docs/showdoc.php and replace:
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);
with the following lines:
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"');
$file = str_replace($forbidden_chars, '', $file);
$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);
Support:
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - your post will be deleted without notice.
Why was cpg1.4.22 released?The release covers a recently discovered vulnerability that allows (if unpatched) a user to launch an
XSS attack (
thread).
Additionally, cpg1.4.22 includes fixes for the following non-security related issues:
- Fixed improper ban expirations due to time offset being incorrectly applied (thread)
- Increased maxlength for password field in user manager from 8 to 25 to match the limits elsewhere
Thanks to
Gerendi Sandor Attila who discovered the vulnerability and
Nibbler for coming up with the fix.
Thanks,
The Coppermine Team