Is Coppermine protected from the sql insertion exploit?
Print
0
Upgrade Coppermine to v1.4.18
Addendum - Our one-click installer is now version 1.4.26 so fresh installs will supercede this particular upgrade
Coppermine version 1.4.17 and earlier are vulnerable to a serious sql insertion exploit. Coppermine advise immediate upgrade to version 1.4.18. (14/04/2008).
This article is for customers who have installed Coppermine from our one-click installation (they will have version 1.4.13 or later). It can also be used by customers who have installed Coppermine version 1.4.0 or later independently. Those customers who have installed earlier versions of Coppermine should go to
http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upgrade
and follow the instructions in Stage 3. Upgrading.
Step 1. - Make a backup (dump) of your database.
To do this go to your Online Control Panel control panel, select Databases; select your coppermine database (it may have a name like webnn-a-cpg14*); and select 'Backup' now. The backup will be downloaded to your local computer. Save it as a file. Note its name and location as you will need them later.
Step 2. - Name of your original installation directory
These instructions assume your original installation is in http://www.yourdomain.co.uk/coppermine. If it something different, adjust the next instructions appropriately.
Step 3. - Move your pictures to a safe place where they will not be overwritten or deleted.
You must do this step once, but not more. If you restart the upgrade after you have done this step once, do step 3a (at bottom of this article) instead.
Ftp to your website:-
ftp> cd public_html
ftp> rename coppermine coppermine.old
ftp> bye
Step 4. - Do the one-click install of a new coppermine application
Select Coppermine from your Online Control Panel control panel and choose the same installation directory as before, eg coppermine. This will install version 1.4.18 to that directory.
Step 5. - Ssh to your website
ssh -l yourdomain.co.uk yourdomain.co.uk@yourdomain.co.uk
(use the same password as ftp above)
cd public_html/coppermine.old/albums
find . | cpio -pmud ../../coppermine/albums
cd ..
cp anycontent.php ../coppermine/anycontent.php
Step 6. - Restore the old database to the new database.
In your Online Control Panel control panel find the new database and click manage.
In the left navigation column select the new database (not information_schema)
On the top navigation bar select 'Import'
Browse for the file to import. You are browsing on your local computer not the server. The file is where it was backed up to (step 1.) and will have the name of the old database.
Step 7. - If you have made a custom theme, apply the changes that were introduced in the themes structure to your custom-made theme - refer to the theme-upgrade guide. Your old theme will be under the coppermine.old tree.
If you mess up, it's OK to start over but you should skip step3 after the first try. Your original database is unchanged and all the pictures are safe in public_html/coppermine.old/albums.
You will need to remove the directory public_html/coppermine because the one-click install requires an empty or non-existing target directory, so instead of step 3 do this:-
Step 3a. - Prepare for one-click installation
DO NOT DO THIS UNTIL YOUR coppermine/albums DIRECTORY HAS BEEN MADE SAFE (the original step 3). This step will delete the directory coppermine (and its contents) if it exists.
Ssh to your website
ssh -l yourdomain.co.uk yourdomain.co.uk@yourdomain.co.uk
(use the same password as ftp)
rm -fr public_html/coppermine
If you do not this you will not be able to do the one-click install to the directory coppermine.
If your system has been infected the upgrade to v1.4.18 does not remove the infection: it blocks future attempts of this exploit. See http://forum.coppermine-gallery.net/ for various sanitizing methods.