zenphoto forums » Bug Discussion

1.0.7 Released with important security fix. UPGRADE now!

(16 posts)
  1. Zenphoto development team
    trisweb

    Project Manager
    Joined: Sep '05
    Posts: 1,843

    Hi everyone,

    nicosomb discovered quite a bad security bug today, and I'm releasing a fix tonight (1.0.7) that will take care of it completely. Until then, if you have a 1.0.4, 1.0.5, or 1.0.6 installation, you should patch it yourself if you can.

    The fix: (EVERYONE SHOULD DO THIS if you're running 1.0.4-1.0.6)

    Edit: Upgrade to 1.0.7!

    That should do it! The security problem is that it allowed directory listings using the '..' (up directory) directory which was not filtered out. NO FILES COULD BE ACCESSED by this method, only directory listings, and only for directories accessible by the web server. This flaw is not susceptible to exploitation of a web server or your zenphoto installation; it only shows relative folder names in the structure of your site.

    Very sorry, this was entirely my fault... fortunately it seems no real harm may be done.

    Note also this only affects versions greater than 1.0.4, where the sub-albums backend code is present. It is fixed after and including 1.0.7. Please upgrade today!

    Posted 7 years ago #
  2. nicosomb

    Apprentice
    Joined: Jan '07
    Posts: 4

    great! nice job ;) !!

    Posted 7 years ago #
  3. DarrellD

    Contributor
    Joined: Jan '06
    Posts: 300

    Thanks nicosomb.

    Posted 7 years ago #
  4. thinkdreams

    Contributor
    Joined: Jun '06
    Posts: 653

    As a little side note, if you do perform this patch, it's probably a good idea to slightly modify your functions.php file at line 12 or so to read:

    // Set the version number.
    $_zp_conf_vars['version'] = '1.0.6+patch';

    That way you can keep track of your patched installations (if you have multiple ones) and keep your versioning straight.

    This is of course optional, but makes it easier to recognize the patched versions at a glance.

    Posted 7 years ago #
  5. jgodfrey

    Member
    Joined: Jan '07
    Posts: 20

    Was 1.0.7 ever officially released? It seems that the main page still mentions (and accesses) the 1.0.6 download archive.

    I've added the mentioned security patch to my 1.0.6 installation, but would prefer to move to 1.0.7 if I could find the download archive.

    Thanks for any assistance.

    Jeff

    Posted 7 years ago #
  6. jayray999

    Contributor
    Joined: Aug '06
    Posts: 165

    It's up. In case you don't see it try refreshing the browser cache.

    Posted 7 years ago #
  7. Daxeno

    Senior
    Joined: Jun '06
    Posts: 99

    Thanks For This Patch! :D

    Posted 7 years ago #
  8. jgodfrey

    Member
    Joined: Jan '07
    Posts: 20

    Silly me - it was a browser cache issue. A simple refresh fixed things up. Thanks JayRay...

    Jeff

    Posted 7 years ago #
  9. pablop

    Member
    Joined: Feb '07
    Posts: 11

    What is the recommended upgrade procedure? I don't want to overwrite any configurations I've already made. Should I just punch in the fix as detailed in the "discovered quite a bad security bug today" thread above, or should I install from the the 1.0.7 zip file I've downloaded

    Thanks

    Posted 7 years ago #
  10. pablop

    Member
    Joined: Feb '07
    Posts: 11

    Never mind, I see the Quick Upgrade Instructions below the link. Oops!

    Posted 7 years ago #
  11. renede

    Apprentice
    Joined: Feb '07
    Posts: 2

    guys, please update your zipfile on the homepage... There is something wrong with it! i really want to try it but cant because the files wont unzip\

    Send me an email when you are done? Thanks!!

    Posted 7 years ago #
  12. Chilifrei64

    Contributor
    Joined: Dec '05
    Posts: 541

    Try updating to a new version of winzip or winrar.. I am having no problems with it on my side(just tested xp's zip extractor, latest winzip and latest winrar(any my older version of winrar)). Please update software and try and re-download zenphoto and let us know if that works.

    Posted 7 years ago #
  13. renede

    Apprentice
    Joined: Feb '07
    Posts: 2

    well i tried it a tenth time... XP's extractor (updated XP) and the latest Winzip both think its not a valid archive. No files to unzip...

    Can you email me the file?
    foto [at] renedenengelsman [dot] nl

    this is the winzipmessage: http://www.renedenengelsman.nl/tiseenplaatje/winzip.jpg

    Thanks!!

    Posted 7 years ago #
  14. Chilifrei64

    Contributor
    Joined: Dec '05
    Posts: 541

    emailed...

    Posted 7 years ago #
  15. thinkdreams

    Contributor
    Joined: Jun '06
    Posts: 653

    I downloaded it twice today with absolutely no errors. As an alternative, I have a cache of files on my site at http://www.thinkdreams.com/files which you can grab the latest zenphoto from (in case anyone else has download and extraction issues.)

    Posted 7 years ago #
  16. Zenphoto development team
    trisweb

    Project Manager
    Joined: Sep '05
    Posts: 1,843

    It's weird that people are having archive problems... it seems like my server might be to blame. I'll try to mirror it somewhere else as well.

    Posted 7 years ago #

RSS feed for this topic

Reply

You must log in to post.