HOTFIX for Apache's RAR/PHP Vulnerability - IMPORTANT! HOTFIX for Apache's RAR/PHP Vulnerability - IMPORTANT!
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

HOTFIX for Apache's RAR/PHP Vulnerability - IMPORTANT!

Started by Paver, June 11, 2006, 07:00:56 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Paver

There is a very serious vulnerability in the Apache webserver that is actually a "feature" which can be helpful for some people, but can also expose many people to a security breach, the current one being the "Apache RAR Exploit".  Your Coppermine gallery and any other PHP applications that allow uploads are open to abuse unless each application addresses this vulnerability/feature of Apache's processing of PHP files.

Read more about it here:
Coppermine-driven galleries hit by RAR exploit

Coppermine 1.4.6 was the first release to address this, and versions after this include the fix as well:
Maintenance release CPG1.4.6 protects against Apache's .rar vulnerability

You are strongly recommended to upgrade to the current version, as of this writing, 1.4.8.  We remind you that support for the 1.3.x series is running out.  Upgrading is clearly detailed in the documentation, along with upgrading any custom 1.3 themes.  Most of the popular 1.3 themes have been converted to the 1.4 theme system.  In addition, the new plugin system in 1.4 allows added features to the Coppermine core *without* hacking the scripts as was necessary in the 1.3.x series.  Many plugins are being written and are starting to replace popular hacks/mods.

Please consider performing an upgrade to your 1.3 gallery soon!

Unless you upgrade immediately, you are strongly recommended to apply the following hotfix to your 1.3 gallery to remove the exposure of your gallery to the currently popular "RAR Exploit", which allows someone to inject code into your site and do lots of nasty things.

Attached to this post is a ZIP file containing the hotfix.  Read the file "HOTFIX_readme.txt" and follow the instructions.  If you have questions or problems, reply to this post.