The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.
This is the only issue addressed in this release.
How to update:
If you are currently running 1.4.17 then you may patch your gallery by replacing your copy of bridge/coppermine.inc.php with the fixed version available here (http://coppermine.svn.sourceforge.net/viewvc/*checkout*/coppermine/trunk/cpg1.4.x/bridge/coppermine.inc.php?revision=4381). This is the only issue addressed in this release.
Users running versions prior to 1.4.17 should update immediately by downloading (http://downloads.sourceforge.net/coppermine/cpg1.4.18.zip) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) page and follow the upgrade steps in the documentation (http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upgrade).
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - they will be deleted without notice.
Why was cpg1.4.18 released only few days after the release of cpg1.4.17?
The 1.4.17 patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. This new release will address the current issue.
That has been corrected in this version 1.4.18.
Version 1.4.18 contains sets of corrections already present in version 1.4.17.
Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.
Big thanks go to Nibbler who came up with the fix for the vulnerability.
Thanks,
The Coppermine Team
Please update or delete the 1.4.17 announcement thread to say that it superseded by this update. otherwise you google the hack, find the 1.4.17 page, update and have the same problems. thanks!
-m
cpg1.4.17 announcement thread updated. Thanks for notifying.
Quote from: Joachim Müller on April 14, 2008, 09:16:15 AM
The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.
Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.
Big thanks go to Nibbler who came up with the fix for the vulnerability.
Thanks,
The Coppermine Team
Where can I find the thread on the hack suggestions?
Hack thread: http://forum.coppermine-gallery.net/index.php/topic,51671.0.html
Sanitization thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html
Alright, I'm a first timer upgrading. I will follow the instructions. thanks.
Quotehow do I upgrade?
Just before your POST, some links for a start ???
And if you had downloaded the Coppermine's package, there's a DOC inside !
PYAP
Thanks, I am backing up the MySQL right now.
Since this is an announcement thread it is now closed. Any questions concerning 1.4.18 ? Open your very own thread and ask away ;D
Quote from: Joachim Müller on April 14, 2008, 09:16:15 AMIf you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=59.0). Do not post your issues to this announcement thread - they will be deleted without notice.
Cluttering this thread although the announcement clearly says you mustn't is silly and selfish.