Can you tell me where the security issue lies so i can manually patch it? Can you tell me where the security issue lies so i can manually patch it?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Can you tell me where the security issue lies so i can manually patch it?

Started by net, April 17, 2008, 09:10:52 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

net

Hi,

Im not fond of total revamp of my gallery as i have customized so much in almost every file.

Is there a way to simply manually patching this issue or is it within the core of cpg?

Joachim Müller

Read the announcement thread of the release: there are instructions in it that explain what has changed from cpg1.4.17 to cpg1.4.18; you could apply the patch manually. You need to understand though that the manual patch only takes care of the actual security issue that triggered the release. Minor issues (bugs) that have been fixed (although not security critical) have gone into the release as well. The older the version is that you're upgrading from, the harder will it become to patch manually. Therefor, the answer to your question for a simple patch is: no, there is no simple patch - it doesn't get easier the more you have modded your coppermine gallery.
What you're asking has been asked many times over, so I won't go into details. Use a diff viewer to find out what has changed. Re-apply your mods after the upgrade. Your custom theme won't get touched when upgrading anyway, nor will plugins break.
Your layout changes should go into your custom theme anyway, so there's no need to be alarmed if your "mods" basically are skinning efforts.

net

Thank you Joachim.

From what i understand this exploit targets bridged galleries so there shouldn't be a issue for unbridged ones?

Ill upgrade as fast as i get some time off!

Joachim Müller

Nope, quite the opposite is true: the hack targets unbridged galleries. Technically speaking, your coppermine gallery is always bridged: either to an external app or to coppermine's user management. The exploit uses a vulnerability in the bridge file that bridges coppermine to it's own user management. This is from your perspective an unbridged coppermine gallery.
Enough talk: upgrade! It's mandatory. No further discussion needed.