Re: cpg1.5.16 Security release - upgrade mandatory!

[406man]

The 1.5.16 upgrade is described as mandatory with the reason for its release "The release covers a recently discovered bug in the registration process that allows (if unpatched) a user to circumvent the admin activation if both email verification and admin activation are enabled in the config".

My gallery is running 1.5.12 and has both email verification and admin activation so I am vulnerable to an attack in this area. I have to decide what to do and as the amount of work in upgrading is quite large due to customisations I instead want to look at all the options which seem to me to be:
a) do nothing and take the risk
b) upgrade to 1.5.16
c) switch off email verification
Could someone help answer some questions relating to these options (apologies if this note is in the wrong part of the forum)
- What's the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?
- Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?

[Αndré]

Splitted from http://forum.coppermine-gallery.net/index.php/topic,73460.0.html

What's the worst that an attacker can do if they exercise the security bug which is fixed by 1.5.16 ?

Users can activate themselves (see here).

Can I prevent the security bug being exercised if I simply switch off the activation email and do all the user activations manually ?

As the user won't get an verification email, he won't get the activation link with the random hash. It's still possible to guess that value if the user has a lot of time.

[406man]

Thanks for the quick reply, Andre. There's another option which I didn't list above which is to apply the hotfix by modifying register.php using the code changes you kindly supplied in the link. I'll try that option on my test forum.