Upgrade 1.4.21 Upgrade 1.4.21
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Upgrade 1.4.21

Started by b2k, March 06, 2009, 01:30:38 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

b2k

I installed successfully the 1.4.21 security fix (in functions.inc.php), on my 1.4.20 installation.

Anyway, as I'm the only user of my gallery (nobody else me can add comment, image, description, etc...), am I concerned by this bbcode security issue ?

Do I need really need to proceed this security patch ?

If answer is yes, is there any solution to add links in album and categories descriptions ? (html <a href... doesn't works). Removing links from descriptions is very less comfortable for my visitors...

Thanks for your help and advices.

Joachim Müller

No, if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]

Ludo

Does this apply to my case too?
I have only one registered user (a member of this community  ), applied captcha mod to registration page and request admin approval for new members.
I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?

Fabricio Ferrero

Quote from: Ludo on March 06, 2009, 10:41:27 AM
Does this apply to my case too?
Quote from: Joachim Müller on March 06, 2009, 08:27:16 AM
if you're the only one who can enter bbcode into form fields then you're safe

Quote from: Ludo on March 06, 2009, 10:41:27 AM
I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?
You're right. ;)
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Ludo

Hope I am  ;)
May I re-enable safely uploads and comments for registered users, or better wait for definitive fix?

b2k

Quote from: Joachim Müller on March 06, 2009, 08:27:16 AM
No, if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]

Yes, nobody has access to any form field (except search field ;) ).

I will undo the patch ,

Thanks for your help !

Joachim Müller

Quote from: Ludo on March 06, 2009, 05:10:47 PM
May I re-enable safely uploads and comments for registered users, or better wait for definitive fix?
If you have upgraded to cpg1.4.21 and have left the bbcode code in functions.inc.php as-is, you can savely re-enable comments and uploads by users.

Ludo

No, the question was related to v. 1.4.20!

Hercules24

Same here, I'm the only registered user and comments are off.
However: people can send e-cards (I've seen e-card spam before), is this exploit also possible via e-card [url] tags?
I disabled e-cards now also to be safe.

Joachim Müller

One issue per thread. Locking.
You need to upgrade, that's what developers say. Anything else is entirely up to you and at your own risk. We will definitely not say "stick to cpg1.4.20 if you don't want to lose the bbcode features that have been temporarily been dropped". In fact, we say quite the opposite: upgrade to the most recent stable release cpg1.4.21 no matter what.