Zenphoto

Our forum is sadly currently down because something went wrong with updating the forum software. We hope to get it solved as soon as possible. We'll let you know on this article.

Update 2021-09-05:
Our forum is back again. Actually the update was a success just some CSS issue occurred that set the whole forum invisible. That weird issue is even known and has no actual fix except "hacking" some core CSS files of the forum software: https://open.vanillaforums.com/discussion/38788/vanilla-2021-012-is-now-available/p2

This is a bugfix and minor security release.

Requirements

• Setup will now display a warning note if you are not on an SSL (https) connection [acrylian|
• Setup checks for some more native PHP extensions may be good to have since some may be required in the future [acrylian]
• Setup now only lists issues and not passed checks. Everything is logged in the setup log now [acrylian]
• Setup will now show some notices (e.g. existing robots.txt and others) instantly instead of hiding them first [acrylian]

Zenphoto 1.5.8 is sadly not yet PHP 8 compatible. This will follow soon.

Security

• Updates PHPMailer library to fix several security issues [fretzl]
• Fixes non properly sanitzied paths allowing possible access to directories above the installation itself which the user may not (...)

Read more

We just learned that an old "security issue" that was already reported to us last year was recently published:
https://packetstormsecurity.com/files/161569/Zenphoto-CMS-1.5.7-Shell-Upload.html 

We are not sure if this is the same reporter as we had contact with a security company and different person.  (Please see addition below). We didn't "fix" the issue but tightend it to only allow this for users with full admin rights. Users with these rights have lots of other possibilties to harm a site even without exploiting this vulnerability. We repeat our statement from the 1.5.7 release post again:

Uploading abritary like PHP files, any application/* mime type files and HTML files that may be directly executed is now forbidden for users with only theme rights or files rights. You need full admin rights for this now. This was (...)

Read more

In case you notice that translations are not working on your site: This is out of our hands. The reason is a bug in Apache's mod_perl module on some server configurations which conflicts with the native PHP gettext functionality we use for translations. For example our local development environment MAMP 6.3  is affected by this as well. We have no idea when this will be fixed or how similar software (XAMPP, WampServer, etc) or your host's server may be affected.

Translations work if the mod_perl module is disabled and Zenphoto does not require Perl. Should you notice this and have control over your server disable it or contact your host about it.

More info about this issue: https://www.claudiokuenzler.com/blog/1023/php-gettext (...)

Read more

A script to extract images from emails and add them to a ZenphotoCMS album by simply emailing them to a dedicated mailbox.

This is not a plugin and is needs to be used outside of ZenphotoCMS itself.

Antonio Ranesi has released version 2.1 of his theme Multiverse, now with OpenStreetMap plugin support and a standard image.php theme page. You can read all about it on the project page on https://www.antonioranesi.it/pages/multiverse-zenphoto-theme/.

The theme has also been added to our demo install.

A plugin to rearrange Zenphoto resources. Tidy Assets shifts all Zenphoto JavaScript items to the bottom of the body element, including inline scripts and optionally CSS resources as well. This can improve the user experience on their first visit to your site by delaying render-blocking resources.

This plugin has been developed starting from headConsolidator v1.4.3 by Stephen Billard (sbillard).

This is a bugfix and security release.

Developer note

This will be possibly the last 1.5.x release. We will only try to fix serious bugs. The 1.5.x release stream is therefore frozen now. The next release will hopefully be the planned "major release" we already mentioned several times. Due to serious time issues we can't afford to work on two release streams simultaneously anymore. That's why, from now on, we will concentrate our efforts on the next major release only. Note that almost everything we wrote on https://www.zenphoto.org/news/developer-note-the-mysterious-next-major-release/ still applies. Thanks for understanding.

Security

• Fixes XSS issue in /page/search/ parameters [acrylian – Thanks to gwen001]
• Fixes (...)

Read more

15 years ago the first version of Zenphoto was released. On to the next 15!