cpg1.4.17 Security release - upgrade absolutely mandatory! cpg1.4.17 Security release - upgrade absolutely mandatory!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

cpg1.4.17 Security release - upgrade absolutely mandatory!

Started by SaWey, April 11, 2008, 12:17:55 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

SaWey

The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.16 or older update to this latest version as soon as possible.

To correct the security issue manually, you can apply the fix mentioned below. Please note that applying the manual fix will keep you secure, but it is not a substitute for updating your gallery fully, as there are several other non-security related fixes that went into cpg1.4.17 as well.

Manual fix (not recommended):
To manually fix the vulnerability, edit upload.php, find

                } else {
                    // We will try to get the extension from the database.
                    $MIME_result = cpg_db_query("SELECT extension FROM {$CONFIG['TABLE_FILETYPES']} WHERE mime='$URI_MIME_type'");

                    // Check to see if any results were returned.
                    if (!mysql_num_rows($MIME_result)) {

                        // No results, so free up the resources.
                        mysql_free_result($MIME_result);

                        // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                        $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);

                        // There is no need for further tests or action, so skip the remainder of the iteration.
                        continue;

                    } else {

                        // The was a result. Fetch it.
                        $extension_data = mysql_fetch_array($MIME_result);

                        // Release the resources.
                        mysql_free_result($MIME_result);

                        // Store the extension in $extension.
                        $extension = $extension_data['extension'];
                    }

                }


and replace with

                } else {
               
                $extension = '';
               
                foreach ($FILE_TYPES as $ext => $typedata){
               
                if ($typedata['mime'] == $URI_MIME_type){
                // Store the extension in $extension.
                $extension = $ext;
                break;
                }
               
                }
               
                if (!$extension){
               
                // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);
 
                // There is no need for further tests or action, so skip the remainder of the iteration.
                continue;
             
                }

                }



The following issues have been addressed in this release (changelog excerpt):

  • 2008-04-10 Release of cpg1.4.17 {GauGau}
  • 2008-04-10 Corrected an SQL injection vulnerability in URI upload code {Nibbler}
  • 2008-03-19 Added Welsh language file (user contribution) {Nibbler}
  • 2008-03-02 Updated version count from cpg1.4.16 to cpg1.4.17 in subversion repository as a preparation for a possible future release {GauGau}
  • 2008-02-29 Changed date formats in lang files for better windows compatibility {Nibbler}
  • 2008-02-12 Updated Romanian language file (user contribution) {GauGau}
  • 2008-02-07 Added Latvian language file (user contribution) {GauGau}
  • 2008-02-04 ImageMagick rotate bug fix {Nibbler}

How to update:
To update any version of Coppermine to version 1.4.17, download the latest version from the download page and follow the upgrade steps in the documentation.

If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

[UPDATE]

cpg1.4.17 is now outdated. Please upgrade to cpg1.4.18

[/UPDATE]

Thanks,
The Coppermine Team

Joachim Müller

There already is an exploit in the wild that is using the vulnerabilites fixed in this release. It is absolutely mandatory that every coppermine user who is running an unpatched version (cpg1.4.16 or older) upgrades immediately. Don't postpone the upgrade - perform it now!

Do not reply to this announcement thread asking questions how to sanitize your gallery if you have already been infected.

There is a lengthy thread "Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?" that shows that there are already a lot of infected galleries. I will try to come up with instructions there one how to clean an infected site, but don't expect this to be easy. You better upgrade now instead of being hacked.

Joachim Müller
- coppermine project manager -


François Keller

Avez vous lu la DOC ? la FAQ ? et cherché sur le forum avant de poster ?
Did you read the DOC ? the FAQ ? and search the board before posting ?
Mon Blog