ZenphotoThe simpler media website CMS
Advertisements
Your support helps pay for this server, and helps development of zenphoto. Thank you!
Visit the donations page
We are pleased to announce that we have upgraded the Zenphoto site to the Beta of the 1.4.2 release. We believe the release is now stable (or we would not run our site on it.) I would expect shortly that we will generate our first release candidate for Zenphoto 1.4.2.
Please give 1.4.2 a try.
We are pleased to announce that we have an updated version of Ajax Filemanager which has all known security holes plugged. We are releasing this version with the 1.4.2 Zenphoto release and it is currently available in the Beta of that release.
We understand that some people will be reluctant to use this plugin owing to the recent hacks of Zenphoto sites. For this reason, Ajax Filemanager is now a plugin and is disabled by default. If you wish to use the Filemanager functionality go to the plugins tab and enable the Ajax Filemanager plugin.
Please note that the code we have released HAS BEEN MODIFIED to close these security holes. We are still waiting for updates from the developer. Until such time as these are available and activated by default the developer released versions of Ajax Filemanager should not be considered secure. As released they are subject to direct access (bypassing Zenphoto security), and Cross Site Reference Forgeries. DO (...)
This is a plugin for Akismet SPAM filtering.
A plugin that is able to create zip-files on the fly while streaming them. Other than that the functionality is the same as Zenphoto's album-zip.
This is a security update to the issues reported and the only change to Zenphoto 1.4.1.5 is the removal of the 3rd party Ajax File Manager tool as already discussed. Info about that here:
We urge anyone to upgrade. Download as always on our download page. If you access the file manager sub tab on the backend tab you will get a 404 not found. That is meant to happen.
This is a hotfix. The nightly builds have the file manage removed as well but are 1.4.2 beta already as the 1.4.1.x stream was actually considered closed (as announced already). Therefore there is no and wil be no tag for 1.4.1.6 in any svn stream.
Again, we are very sorry this all was possible. Thanks all for your support (...)
Sadly we had to learn that the vulnerability we reported yesterday was apparenlty only one and the whole file manager tool seems to be unsecure unnoticed.
We are really sorry for the issues. But we neither have/had resources to do a deep security checks on used/adapted 3rd party tools nor to write everything ourself. We are dependend on those 3rd party tools to adapt. We are now searching for a replacement.
Therefore, we urge you all strongly to remove the file manager in queston completely from your installs. This possibly might affect releases beginning with Zenphoto 1.2.4 (or 1.2.1 if you use that with the then independent Zenpage plugin which included the file manager and tinyMCE first). But you really should not be on these old version anyway. You find the file mananager on your install here:
zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager
We urge anyone to upgrade to Zenphoto 1.4.1.5 if still on 1.4.1.4 or older. The ajax file manager included in earlier versions had a security hole. This is 3rd party tool by phpletter.com we use for non gallery file management as a plugin for our text editor TinyMCE and standalone on the admin backend upload tab.
This security hole had been reported (ticket #2005) and fixed in 1.4.1.5. But since the last days several security sites flooded the web and twitter with notes about that we sadly learnt that someone apparently has been exploiting it hacking some sites now (we don't know what exactly this hack does):
So if (...)
The detailed documention of all functions and class methods of Zenphoto and all included standard plugins is generated automatically from the files via ApiGen and can be reached on a separate sub site: http://docs.zenphoto.org/
Note: The old phpdoc script that formerly generated the functions documentation does not work anymore. So we cannot generate a current documentation. Sadly even the generated documentations we have don’t work anymore. The server does not like the double suffix .php.html it generated for files and rejects these. We have no control about these server setting sadly.
Instead we now generated a new documentation using ApiGen. This is focussed on object orientated code structure so the documentation is much more developer centric. Most importantly there are no links to actual files anymore. (...)
We have released the last support release for the 1.4.1 stream. The Trunk branch of the Zenphoto repository (and the Trunk nightly builds) now contain the BETA release of Zenphoto 1.4.2. Please see the draft release notes for details on the release.
Zenphoto 1.4.1.5 is a minor bugfix release of the recent 1.4.1 branch.
As usual we recommend all users upgrade for the latest updates and fixes. See the changes on trac for more information.
