Is Coppermine protected from the sql exploit?

  • Coppermine version 1.4.17 and earlier are vulnerable to a serious sql insertion exploit. Coppermine advise immediate upgrade to version 1.4.18. (14/04/2008).

  • This article is for customers who have installed Coppermine from our one-click installation (they will have version 1.4.13 or later). It can also be used by customers who have installed Coppermine version 1.4.0 or later independently. Those customers who have installed earlier versions of Coppermine should go to

    http://coppermine-gallery.net/demo/cpg14x/docs/index.htm#upgrade

    and follow the instructions in Stage 3. Upgrading.


Step 1. - Make a backup (dump) of your database.

    To do this go to your eXtend control panel, select Databases; select your coppermine database (it may have a name like webnn-a-cpg14*); and select 'Backup' now. The backup will be downloaded to your local computer. Save it as a file. Note its name and location as you will need them later.

    Step 2. - Name of your original installation directory

    These instructions assume your original installation is in http://www.yourdomain.co.uk/coppermine. If it something different, adjust the next instructions appropriately.

    Step 3. - Move your pictures to a safe place where they will not be overwritten or deleted.

    You must do this step once, but not more. If you restart the upgrade after you have done this step once, do step 3a (at bottom of this article) instead.

    Ftp to your website:-

    ftp> cd public_html

    ftp> rename coppermine coppermine.old

    ftp> bye

    Step 4. - Do the one-click install of a new coppermine application

    Select Coppermine from your eXtend control panel and choose the same installation directory as before, eg coppermine. This will install version 1.4.18 to that directory.

    Step 5. - Ssh to your website

    ssh -l yourdomain.co.uk [email protected]

    (use the same password as ftp above)

    cd public_html/coppermine.old/albums

    find . | cpio -pmud ../../coppermine/albums

    cd ..

    cp anycontent.php ../coppermine/anycontent.php

    Step 6. - Restore the old database to the new database.

    In your eXtend control panel find the new database and click manage.

    In the left navigation column select the new database (not information_schema)

    On the top navigation bar select 'Import'

    Browse for the file to import. You are browsing on your local computer not the server. The file is where it was backed up to (step 1.) and will have the name of the old database.

    Step 7. - If you have made a custom theme, apply the changes that were introduced in the themes structure to your custom-made theme - refer to the theme-upgrade guide. Your old theme will be under the coppermine.old tree.


If you mess up, it's OK to start over but you should skip step3 after the first try. Your original database is unchanged and all the pictures are safe in public_html/coppermine.old/albums.

You will need to remove the directory public_html/coppermine because the one-click install requires an empty or non-existing target directory, so instead of step 3 do this:-

Step 3a. - Prepare for one-click installation

DO NOT DO THIS UNTIL YOUR coppermine/albums DIRECTORY HAS BEEN MADE SAFE (the original step 3). This step will delete the directory coppermine (and its contents) if it exists.

Ssh to your website

    ssh -l yourdomain.co.uk [email protected]

    (use the same password as ftp)

rm -fr public_html/coppermine

If you do not this you will not be able to do the one-click install to the directory coppermine.


If your system has been infected the upgrade to v1.4.18 does not remove the infection: it blocks future attempts of this exploit. See http://forum.coppermine-gallery.net/ for various sanitizing methods.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Which modules are installed on the web servers?

All standard Apache modules are installed on the web servers, including mod_rewrite. In...

Can I point multiple domain names to my account?

There are two approaches to this: 1. A simple way to get your account to support more than one...

Do you have any FAQs on PHP, cgi, mySQL and scripts?

Can I place a PHP script in any directory I choose? Yes, PHP scripts do not have to reside in a...

FTP file size limit

The maximum file upload size is 150MB. If a file is greater than 150MB is attempted to be...

Hosting terms and conditions

Please refer to http://www.myqiq.info/tandc/