The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.16 or older update to this latest version as soon as possible.
How to update:
Users running versions prior to 1.5.18 should update immediately by downloading (https://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.18.zip/download) the latest version from the download page (http://sourceforge.net/project/showfiles.php?group_id=89658) and following the upgrade steps in the documentation (http://documentation.coppermine-gallery.net/en/upgrading.htm).
Support:
If you have problems with this update, please use the Update support board (http://forum.coppermine-gallery.net/index.php?board=90.0). Do not post your issues to this announcement thread - your post will be deleted without notice.
Why was cpg1.5.18 released?The release covers a path disclosure vulnerability. If unpatched, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information.
Additionally, cpg1.5.18 includes fixes for the following non-security related issues:
- Added plugin hook 'upload_file_name'
- Add default values on 'onlinestats' installation to avoid weird dates right after plugin installation (thread (http://forum.coppermine-gallery.net/index.php/topic,73467.0.html))
- Updated Arabic language file (user contribution)
- Fixed simple upload process when users can just upload to their personal gallery (thread (http://forum.coppermine-gallery.net/index.php/topic,73570.0.html))
- Added upload button after each album name in album manager
- Added anchors on plugin manager
- Fixed infinite loop for delayed cookie issue workaround (thread (http://forum.coppermine-gallery.net/index.php/topic,73655.0.html))
- Disallow dots in cookie name (thread (http://forum.coppermine-gallery.net/index.php/topic,73655.0.html))
- Fixed issue with very big 'Max size for uploaded files' values (thread (http://forum.coppermine-gallery.net/index.php/topic,73722.0.html))
- Fixed album thumbnails for public albums in 'My gallery' view for regular users
- Fixed clickable keywords with spaces (thread (http://forum.coppermine-gallery.net/index.php/topic,73804.0.html))
- Fixed critical error for 'lasthits' meta album (thread (http://forum.coppermine-gallery.net/index.php/topic,73801.0.html))
- Fixed misleading error message when uploading files that exceed the file size limit with the simple upload form (thread (http://forum.coppermine-gallery.net/index.php/topic,61711.0.html))
- Added hidden feature "Create sub-directory named according to the album ID in users' upload directories during HTTP upload"
- Use selected album thumbnail for 'lastup' meta album (thread (http://forum.coppermine-gallery.net/index.php/topic,73946.0.html))
- Create user album in personal gallery when user is created via the user manager (thread (http://forum.coppermine-gallery.net/index.php/topic,74013.0.html))
- Added captcha for ecards feature (thread (http://forum.coppermine-gallery.net/index.php/topic,71501.0.html))
- Fixed a potential path disclosure vulnerability in core plugin configuration files
- Updated date/time formats in English (British) language file (thread (http://forum.coppermine-gallery.net/index.php/topic,72549.0.html))
- Updated header information to reflect new year
The Coppermine Team
Nice work on the upgrade
Smooth upgrade to Coppermine 1.5.18 - just followed the documentation: no problems!
Many thanks from The Helmsley Archive http://www.helmsleyarchive.org.uk/ (http://www.helmsleyarchive.org.uk/)
French announcement thread http://forum.coppermine-gallery.net/index.php/topic,74231.0.html (http://forum.coppermine-gallery.net/index.php/topic,74231.0.html)
Nice work on the upgrade, I am loking forward to trying it out.
Thanks, updating now. Are there any language changes?
Have a look at the changelog.
Locking.