Re: cpg1.5.16 Security release - upgrade mandatory! Re: cpg1.5.16 Security release - upgrade mandatory!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Re: cpg1.5.16 Security release - upgrade mandatory!

Started by 406man, September 05, 2011, 02:18:58 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

406man

The 1.5.16 upgrade is described as mandatory with the reason for its release "The release covers a recently discovered bug in the registration process that allows (if unpatched) a user to circumvent the admin activation if both email verification and admin activation are enabled in the config".

My gallery is running 1.5.12 and has both email verification and admin activation so I am vulnerable to an attack in this area. I have to decide what to do and as the amount of work in upgrading is quite large due to customisations I instead want to look at all the options which seem to me to be:
a) do nothing and take the risk
b) upgrade to 1.5.16
c) switch off email verification
Could someone help answer some questions relating to these options (apologies if this note is in the wrong part of the forum)
- What's the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?
- Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?

ΑndrĂ©

Splitted from http://forum.coppermine-gallery.net/index.php/topic,73460.0.html ::)


Quote from: 406man on September 05, 2011, 02:18:58 PM
What's the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?
Users can activate themselves (see here).


Quote from: 406man on September 05, 2011, 02:18:58 PM
Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?
As the user won't get an verification email, he won't get the activation link with the random hash. It's still possible to guess that value if the user has a lot of time.

406man

Thanks for the quick reply, Andre. There's another option which I didn't list above which is to apply the hotfix by modifying register.php using the code changes you kindly supplied in the link. I'll try that option on my test forum.