cpg1.4.18 Security release - upgrade absolutely mandatory! cpg1.4.18 Security release - upgrade absolutely mandatory!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

cpg1.4.18 Security release - upgrade absolutely mandatory!

Started by Joachim Müller, April 14, 2008, 09:16:15 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Joachim Müller

The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.

This is the only issue addressed in this release.

How to update:
If you are currently running 1.4.17 then you may patch your gallery by replacing your copy of bridge/coppermine.inc.php with the fixed version available here. This is the only issue addressed in this release.
Users running versions prior to 1.4.17 should update immediately by downloading the latest version from the download page page and follow the upgrade steps in the documentation.

Support:
If you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.

Why was cpg1.4.18 released only few days after the release of cpg1.4.17?
The 1.4.17 patch indeed does not fix the problem - it fixes a different problem, one which this latest attack does not actually exploit. This new release will address the current issue.
That has been corrected in this version 1.4.18.
Version 1.4.18 contains sets of corrections already present in version 1.4.17.

Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.

Big thanks go to Nibbler who came up with the fix for the vulnerability.

Thanks,
The Coppermine Team

maxslug

Please update or delete the 1.4.17 announcement thread to say that it superseded by this update.  otherwise you google the hack, find the 1.4.17 page, update and have the same problems.  thanks!
-m

Abbas Ali

cpg1.4.17 announcement thread updated. Thanks for notifying.
Chief Geek at Ranium Systems

ammo

Quote from: Joachim Müller on April 14, 2008, 09:16:15 AM
The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.17 or older update to this latest version as soon as possible.


Note: for galleries that have already been infected, it is not enough to upgrade - you'll have to sanitize your website as well. Upgrading will only close the vulnerability, but not the payload of the hack. Please review the thread that discusses the hack for suggestions how to sanitize - do not clutter the announcement thread for the release of cpg1.4.18 with questions/comments on the hack.

Big thanks go to Nibbler who came up with the fix for the vulnerability.

Thanks,
The Coppermine Team

Where can I find the thread on the hack suggestions?


Medievaldragon

#5
Alright, I'm a first timer upgrading.  I will follow the instructions. thanks.

Pascal YAP

Quotehow do I upgrade?
Just before your POST, some links for a start ???
And if you had downloaded the Coppermine's package, there's a DOC inside !

PYAP


Medievaldragon


Hein Traag

Since this is an announcement thread it is now closed. Any questions concerning 1.4.18 ? Open your very own thread and ask away  ;D

Joachim Müller

Quote from: Joachim Müller on April 14, 2008, 09:16:15 AMIf you have problems with this update, please use the Update support board. Do not post your issues to this announcement thread - they will be deleted without notice.
Cluttering this thread although the announcement clearly says you mustn't is silly and selfish.