I have found a new Exploit for Coppermine 1.4.20. If some of the Developer would take a look
http://milw0rm.com/exploits/8114
Best Regards
Crazymodder
The exploit is real. I just confirmed in CPG 1.4.20
@Crazymodder: Thanks for let us know, the CPG Dev Team is going to take care of this as soon as they read this post.
The dev team is aware of milw0rm exploits #8114 & #8115. We're discussing a fix. If you want to close the potential whole right now, disallow visitors to use bbcode, i.e. disallow them to upload and comment.
------->>> cpg1.4.21 Security release - upgrade mandatory! (http://forum.coppermine-gallery.net/index.php/topic,58309.0/topicseen.html)
Waiting for a better fix from the Dev Team, may I be safe from this exploit by just disabling comment and upload feature for guests and registered users? I have only one registered user (a member of this community :) ), applied captcha mod to registration page and request admin approval for new members
I used to apply every upgrade ASAP, but in my gallery I make large use of url bbcode tag in album descriptions and image captions: I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?
Quote from: Joachim Müller on March 06, 2009, 08:27:16 AM
if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]
Locking thread to stop double discussion. As suggested in the announcement for cpg1.4.21, discussion should be lead on the upgrade sub-board.