Security release cpg1.4.10 - upgrade mandatory Security release cpg1.4.10 - upgrade mandatory
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security release cpg1.4.10 - upgrade mandatory

Started by Nibbler, October 29, 2006, 11:59:58 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Nibbler

October 29, 2006, 11:59:58 PM Last Edit: October 30, 2006, 02:39:11 AM by Paver
Coppermine 1.4.10 - Security release.

The development team is releasing a security update for Coppermine in order to counter a recently announced vulnerability that can lead to disclosure of sensitive information. It is important that all users update to this latest version as soon as possible.

To correct the security issue manually, you can apply a fix to picmgr.php. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully.

Find

Code Select
$aid = isset($_GET['aid']) ? ($_GET['aid']) : 0;

Change to

Code Select
$aid = isset($_GET['aid']) ? (int) $_GET['aid'] : 0;


This issue does not affect versions of Coppermine prior to 1.4, however we encourage all users to update to this latest version.


The following issues have been addressed in this release:


  • Removal of SQL injection vulnerability (as mentioned above)
  • Removal of unused file include/exifReader.inc.php
  • Addition of missing checks for email address validity and duplicate email addresses in profile page.
  • Some minor MySQL5 issues
  • Pictures awaiting approval are no longer found using the search feature.
  • Corrected some issues with html entities appearing in emails
  • Corrected flaw in search logic
  • Added Indonesian language file (user contribution)
  • Updated Brazilian language file (user contribution)
  • Pagination issues corrrected
  • Fix for video playback in IE


To update any version of Coppermine to version 1.4.10, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.


Nibbler.
Coppermine Dev Team.

alexyo

#1
March 03, 2007, 12:08:42 PM
hi guys
You have a terrific tool
Why not replace only the picmgr.php file from one version to the other ?
regards

Joachim Müller

#2
March 03, 2007, 06:52:54 PM
because other things have been addresses as well, as suggested in the announcement!

web123

#3
June 04, 2007, 03:30:50 AM
I am using ver 1.3 and cannot see the picmgr.php file.

The gallery keeps getting hacked and the web host keeps shutting it down. What should I do? If I upgrade to the newer version, does it remove all the existing images and settings etc?

This has been one big headache!

Tranz

#4
June 04, 2007, 03:49:06 AM
Upgrading does not affect images, and it shouldn't adversely affect core settings. It definitely does not reset the settings to default. You should still do a backup of files and database before the upgrade as a precaution.

Joachim Müller

#5
June 04, 2007, 09:58:13 AM
Quote from: Nibbler on October 29, 2006, 11:59:58 PM
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Any particular reason for not reading this thread and doing as suggested? Don't force us to lock announcement threads. Stay out of this thread!
Print
Go Up Pages1
User actions