No Support => Announcements => Topic started by: Joachim Müller on September 13, 2007, 06:20:33 pm

Title: Maintenance release cpg1.4.13 (security-related) - upgrade mandatory
Post by: Joachim Müller on September 13, 2007, 06:20:33 pm
Coppermine 1.4.13 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability. It is important that all users who run version cpg1.4.12 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply the fixes mentioned below. Please note that applying the manual fixes will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.13 as well.

Manual fixes (not recommended):
To manually fix the vulnerability, edit include/, find
Code: [Select]
* CPGPluginAPI::action('page_start',null)
and add before it (into a new line)
Code: [Select]
// If referer is set in URL and it contains 'http' or 'script' texts then set it to 'index.php' script
if (isset($_GET['referer'])) {
        if (preg_match('/((\%3C)|<)[^\n]+((\%3E)|>)|(.*http.*)|(.*script.*)/i', $_GET['referer'])) {
                $_GET['referer'] = 'index.php';

Edit viewlog.php, find
Code: [Select]
if (!isset($log)) {
} else {
and replace with
Code: [Select]
// If log variable not set or log file's directory is not current directory then display logs list else display log with given name stripping risky characters from it
if (!isset($log) || dirname($log) != '.') {
} else {
        display_log(ereg_replace('\.|/|%00', '', $log));

The following issues have been addressed in this release (changelog excerpt):

How to update:
To update any version of Coppermine to version 1.4.13, download ( the latest version from the download page ( and follow the upgrade steps in the documentation (

If you have problems with this update, please use the Update support board ( Do not post your issues to this announcement thread - they will be deleted without notice.

Our thanks go to L4teral who reported the vulnerabilities and gave us the opportunity to prepare this release.

Joachim Müller (aka GauGau)
- Coppermine project manager -