Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Re: cpg1.5.16 Security release - upgrade mandatory!  (Read 1957 times)

0 Members and 1 Guest are viewing this topic.

406man

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 46
Re: cpg1.5.16 Security release - upgrade mandatory!
« on: September 05, 2011, 02:18:58 pm »

The 1.5.16 upgrade is described as mandatory with the reason for its release “The release covers a recently discovered bug in the registration process that allows (if unpatched) a user to circumvent the admin activation if both email verification and admin activation are enabled in the config”.

My gallery is running 1.5.12 and has both email verification and admin activation so I am vulnerable to an attack in this area. I have to decide what to do and as the amount of work in upgrading is quite large due to customisations I instead want to look at all the options which seem to me to be:
a) do nothing and take the risk
b) upgrade to 1.5.16
c) switch off email verification
Could someone help answer some questions relating to these options (apologies if this note is in the wrong part of the forum)
- What’s the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?
- Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: cpg1.5.16 Security release - upgrade mandatory!
« Reply #1 on: September 05, 2011, 02:39:20 pm »

Splitted from http://forum.coppermine-gallery.net/index.php/topic,73460.0.html ::)


What’s the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?
Users can activate themselves (see here).


Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?
As the user won't get an verification email, he won't get the activation link with the random hash. It's still possible to guess that value if the user has a lot of time.
Logged

406man

  • Contributor
  • Coppermine novice
  • ***
  • Offline Offline
  • Posts: 46
Re: cpg1.5.16 Security release - upgrade mandatory!
« Reply #2 on: September 05, 2011, 02:58:17 pm »

Thanks for the quick reply, Andre. There's another option which I didn't list above which is to apply the hotfix by modifying register.php using the code changes you kindly supplied in the link. I'll try that option on my test forum.
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 19 queries.