forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Nibbler on October 29, 2006, 11:59:58 pm

Title: Security release cpg1.4.10 - upgrade mandatory
Post by: Nibbler on October 29, 2006, 11:59:58 pm
Coppermine 1.4.10 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently announced vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to picmgr.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully.

Find

Code: [Select]
$aid = isset($_GET['aid']) ? ($_GET['aid']) : 0;
Change to

Code: [Select]
$aid = isset($_GET['aid']) ? (int) $_GET['aid'] : 0;

This issue does not affect versions of Coppermine prior to 1.4, however we encourage all users to update to this latest version.


The following issues have been addressed in this release:



To update any version of Coppermine to version 1.4.10, download (http://prdownloads.sourceforge.net/coppermine/cpg1.4.10.zip?download) the latest version from the download page and follow the upgrade (http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upgrade) steps in the documentation.

If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - they will be deleted without notice.


Nibbler.
Coppermine Dev Team.
Title: Re: Security release cpg1.4.10 - upgrade mandatory
Post by: alexyo on March 03, 2007, 12:08:42 pm
hi guys
You have a terrific tool
Why not replace only the picmgr.php file from one version to the other ?
regards
Title: Re: Security release cpg1.4.10 - upgrade mandatory
Post by: Joachim Müller on March 03, 2007, 06:52:54 pm
because other things have been addresses as well, as suggested in the announcement!
Title: Re: Security release cpg1.4.10 - upgrade mandatory
Post by: web123 on June 04, 2007, 03:30:50 am
I am using ver 1.3 and cannot see the picmgr.php file.

The gallery keeps getting hacked and the web host keeps shutting it down. What should I do? If I upgrade to the newer version, does it remove all the existing images and settings etc?

This has been one big headache!
Title: Re: Security release cpg1.4.10 - upgrade mandatory
Post by: Tranz on June 04, 2007, 03:49:06 am
Upgrading does not affect images, and it shouldn't adversely affect core settings. It definitely does not reset the settings to default. You should still do a backup of files and database before the upgrade as a precaution.
Title: Re: Security release cpg1.4.10 - upgrade mandatory
Post by: Joachim Müller on June 04, 2007, 09:58:13 am
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - they will be deleted without notice.
Any particular reason for not reading this thread and doing as suggested? Don't force us to lock announcement threads. Stay out of this thread!