Coppermine 1.4.20 Exploit

[Crazymodder]

I have found a new Exploit for Coppermine 1.4.20. If some of the Developer would take a look
http://milw0rm.com/exploits/8114

Best Regards
Crazymodder

[Fabricio Ferrero]

The exploit is real. I just confirmed in CPG 1.4.20


@Crazymodder: Thanks for let us know, the CPG Dev Team is going to take care of this as soon as they read this post.

[Joachim Müller]

The dev team is aware of milw0rm exploits #8114 & #8115. We're discussing a fix. If you want to close the potential whole right now, disallow visitors to use bbcode, i.e. disallow them to upload and comment.

[Fabricio Ferrero]

------->>> cpg1.4.21 Security release - upgrade mandatory!

[Ludo]

Waiting for a better fix from the Dev Team, may I be safe from this exploit by just disabling comment and upload feature for guests and registered users? I have only one registered user (a member of this community ), applied captcha mod to registration page and request admin approval for new members
I used to apply every upgrade ASAP, but in my gallery I make large use of url bbcode tag in album descriptions and image captions: I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?

[Joachim Müller]

if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]

Locking thread to stop double discussion. As suggested in the announcement for cpg1.4.21, discussion should be lead on the upgrade sub-board.