forum.coppermine-gallery.net
No Support => Announcements => Topic started by: Αndré on January 28, 2010, 11:41:28 am
-
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.4.25 or older update to this latest version as soon as possible.
How to update:
Users running versions prior to 1.4.26 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.4.26%20%28stable%29/cpg1.4.26.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/docs/index.htm#upgrade).
For those who want to apply the vulnerability fix manually to their Coppermine installation, open upload.php, find
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} {$URI_failure_array[$i]['URI_name']}</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";and replace with
echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} ".htmlentities($URI_failure_array[$i]['URI_name'])."</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - your post will be deleted without notice.
Why was cpg1.4.26 released?
The release covers a recently discovered input validation vulnerability that allows (if unpatched) a malevolent visitor to include own script routines (thread (http://forum.coppermine-gallery.net/index.php/topic,63488.0.html)).
Additionally, cpg1.4.26 includes fixes for the following non-security related issues:
- Edited vBulletin bridge to reflect changes from vB3.x to vB4.x
- Added check to plugin manager for version requirements - backported feature from cpg1.5.x (thread (http://forum.coppermine-gallery.net/index.php/topic,63279.0.html))
- Updated Italian Language file
- Fixed permission check in crop/rotate wrongly denying access
- Fixed caching issues with xp publisher
- Fixed issue with creating albums in xp publisher with MySQL's strict mode enabled
- Fixed bridge issue when creating albums in xp publisher
- Updated German language files (added missing strings)
- Updated MyBB bridge to 1.4
- Updated Czech language file (user contribution)
- Updated Slovak language file (user contribution)
- Updated Italian language file (user contribution)
Thanks to Aditya Mooley (http://forum.coppermine-gallery.net/index.php?action=profile;u=5957) for coming up with the fix, and thanks to Ivan Buetler and the GESEC Team for discovering the vulnerability.
Thanks,
The Coppermine Team
-
French announcement here (http://forum.coppermine-gallery.net/index.php/topic,63564.0.html)
Traduction Française ici (http://forum.coppermine-gallery.net/index.php/topic,63564.0.html)
-
Spanish Announcement here. (http://forum.coppermine-gallery.net/index.php/topic,63567.0.html)
Anuncio en Español aquí. (http://forum.coppermine-gallery.net/index.php/topic,63567.0.html)
-
Russian Announcement here (http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815).
Объявление на Русском здесь (http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815). (ISO-8859-1)
Îáúÿâëåíèå íà Ðóññêîì çäåñü (http://forum.coppermine-gallery.net/index.php/topic,58394.msg315815.html#msg315815). (Windows-1251)