The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.
This is the only issue addressed in this release.
How to update:
If you are currently running 1.4.17 then you may patch your gallery by replacing your copy of bridge/coppermine.inc.php with the fixed version available
here. This is the only issue addressed in this release.
Users running versions prior to 1.4.17 should update immediately by
downloading the latest version from the
download page page and follow
the upgrade steps in the documentation.
Support:
If you have problems with this update, please use the
Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Why was cpg1.4.18 released only few days after the release of cpg1.4.17?The 1.4.17 patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. This new release will address the current issue.
That has been corrected in this version 1.4.18.
Version 1.4.18 contains sets of corrections already present in version 1.4.17.
Note: for galleries that have already been infected, it is
not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.
Big thanks go to Nibbler who came up with the fix for the vulnerability.
Thanks,
The Coppermine Team