From <http://forum.coppermine-gallery.net/index.php/topic,51787.0.html>: "The development team is releasing a security update for Coppermine in order to counter a recently discovered sql injection vulnerability. It is important that all users who run version cpg1.4.16 or older update to this latest version as soon as possible." Reproducible: Always
Patch: http://coppermine.svn.sourceforge.net/viewvc/coppermine?view=rev&revision=4372 While we're at it, there's a new SQL injection fixed here: http://coppermine.svn.sourceforge.net/viewvc/coppermine?view=rev&revision=4381 Let's wait for 1.4.18 then,
... it's out. Please bump.
CVE-2008-1841 Summary: SQL injection vulnerability in the session handling functionality in bridge/coppermine.inc.php in Coppermine Photo Gallery (CPG) 1.4.17 and earlier allows remote attackers to execute arbitrary SQL commands via an input field associated with the session_id variable, as exploited in the wild in April 2008. NOTE: the fix for CVE-2008-1840 was intended to address this vulnerability, but is actually inapplicable. Published: 4/16/2008 CVSS Severity: 6.8 (Medium) CVE-2008-1840 Summary: SQL injection vulnerability in upload.php in Coppermine Photo Gallery (CPG) 1.4.16 and earlier allows remote authenticated users or user-assisted remote HTTP servers to execute arbitrary SQL commands via the Content-Type HTTP response header provided by the HTTP server that is used for an upload. Published: 4/16/2008 CVSS Severity: 6.5 (Medium)
CVE-2008-1882 for the bridge/coppermine.inc.php "session handling code" sql injection http://coppermine.svn.sourceforge.net/viewvc/coppermine?view=rev&revision=4381
in cvs, no stable version yet
Thanks, closing then.
