If you are running DragonflyCMS 9.0.6.1 there is no such security hole.
Your host is probably referring to the standalone version which bears no relation to this CMS, and which quite likely does have a security issue.
Since you don't provide your version in your server spec, nor a Dragonfly site in your www link, I can only presume you're not running the Dragonfly version.
Sorry, no support available here.
Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Thanks. I am using 9.0.6.1 (will update my details)
The automated response from my hosting co was
"A recent server security scan revealed that your site has a vunerable Coppermine Photo Gallery file at /public_html/modules/coppermine/usermgr.php . According to this automated scan, this file is revision/version 9.7 which is known to have security vunerabilities.
To help ensure the security of the server we are asking you to update your Coppermine insall to the latest version. The latest known version of Coppermine is version
1.4.8 .
** To protect against this file being abused, the file at /public_html/modules/coppermine/usermgr.php has been disabled. **"
If the usermgr.php file is disabled does that affect my usage ?
Thanks...
Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Unix / Apache 1.3.34 / MySQL 4.0.25 / PHP 4.4.2 / Dragonfly 9.0.6.1
DragonflyCMS Coppermine is not in any way related to the standalone version 1.4.8. Our independently developed version remains at 1.3.1 with superior security provided by its integration into the DragonflyCMS security system.
The latest version of our usermgr.php is 9.13 - the version 9.7 in DF 9.0.6.1 does not have the vulnerabilities of STANDALONE version 9.7 - since 9.13 is a CVS version, I would be wary of changing it.
Version 9.8 update was "Removed the THEME_USES_TPL feature to completely remove the old php-nuke theme system for a full template based future". If it's going to make your host happy, try updating to 9.8 - it shouldn't have any ill effects.
The only security fixes you need to update are outlined in the sticky topics of our Security forum - you should update db_input.php (as well as the 3 other files listed there).
Though done in your best interests, your host is mistakenly targetting a version of Coppermine that has been different for almost 3 years - a quick file compare will reveal they are like chalk and cheese.
Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
MelOffline
Joined: Jul 21, 2004
Posts: 1386
Location: Eastern Time Zone
Oops, sorry. Didn't realise I'd been relogated to the 'sin bin' and didn't realise that not having a link to my site was against the rules ?
Still, I guess you are making sure that my queries are legitimate... I've been tinkering with this CMS since april (don't have much time, as I have a newborn baby ! )
Its still very much in the early 'construction stages', and I've only enabled limited functionality while I get to grips with the CMS and what is needed from this site.
Fyi, the site is just for my Snowboard mates to post pics, share info and generally exchange banter on the forums, rather than using work email ! :O)
Edit your version with a utf-8 compliant editor and just overwrite the file's contents with the content from version 9.8, then upload to your server, or click the download link for 9.8 on this page, dragonflycms.org/cvs/h...sermgr.php
Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
