There is a remote sql injection exploit out for versions <= 1.4.10 and as of 1/6/07 I don't believe there is a vendor fix. Reproducible: Didn't try http://acid-root.new.fr/poc/19070104.txt
Created attachment 105627 [details, diff] tentative fix (un-checked) Last time, around two years ago I checked coppermine it was in a strong need for a security review. The attached patch should fix this particular vulnerability but every query should be checked in the package. the patch apply to version 1.4.10, so it need a version bump too.
web-apps please advise.
Web-apps any news on this one?
*** Bug 173966 has been marked as a duplicate of this bug. ***
any news here?
Security, please feel free to mask.
What about contacting upstream?
Seems that upstream released 1.4.11: http://secunia.com/advisories/25846/
heya webapss, please bump to 1.4.11
Web-apps do you want to bump or dump(mask) the package?
web-apps, any news here?
Bumped to 1.4.12. Sorry for the delay. I'll mark it as fixed.