Coppermine 1.4.20 Exploit Coppermine 1.4.20 Exploit
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Coppermine 1.4.20 Exploit

Started by Crazymodder, February 28, 2009, 12:24:38 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Crazymodder

I have found a new Exploit for Coppermine 1.4.20. If some of the Developer would take a look
http://milw0rm.com/exploits/8114

Best Regards
Crazymodder

Fabricio Ferrero

The exploit is real. I just confirmed in CPG 1.4.20


@Crazymodder: Thanks for let us know, the CPG Dev Team is going to take care of this as soon as they read this post.
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

The dev team is aware of milw0rm exploits #8114 & #8115. We're discussing a fix. If you want to close the potential whole right now, disallow visitors to use bbcode, i.e. disallow them to upload and comment.

Fabricio Ferrero

Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Ludo

#4
Waiting for a better fix from the Dev Team, may I be safe from this exploit by just disabling comment and upload feature for guests and registered users? I have only one registered user (a member of this community :) ), applied captcha mod to registration page and request admin approval for new members
I used to apply every upgrade ASAP, but in my gallery I make large use of url bbcode tag in album descriptions and image captions: I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?

Joachim Müller

Quote from: Joachim Müller on March 06, 2009, 08:27:16 AM
if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]
Locking thread to stop double discussion. As suggested in the announcement for cpg1.4.21, discussion should be lead on the upgrade sub-board.