Security alert - Part 2 (update 2)

Sadly we had to learn that the vulnerability we reported yesterday was apparenlty only one and the whole file manager tool seems to be unsecure unnoticed.

We are really sorry for the issues. But we neither have/had resources to do a deep security checks on used/adapted 3rd party tools nor to write everything ourself. We are dependend on those 3rd party tools to adapt. We are now searching for a replacement.

Therefore, we urge you all strongly to remove the file manager in queston completely from your installs. This possibly might affect releases beginning with Zenphoto 1.2.4 (or 1.2.1 if you use that with the then independent Zenpage plugin which included the file manager and tinyMCE first). But you really should not be on these old version anyway. You find the file mananager on your install here:



ALERT - Security hole in Zenphoto

We urge anyone to upgrade to Zenphoto if still on or older. The ajax file manager included in earlier versions had a security hole. This is 3rd party tool by we use for non gallery file management as a plugin for our text editor TinyMCE and standalone on the admin backend upload tab.

This security hole had been reported (ticket #2005) and fixed in But since the last days several security sites flooded the web and twitter with notes about that we sadly learnt that someone apparently has been exploiting it hacking some sites now (we don't know what exactly this hack does):

So if (...)

Functions documentation

The detailed documention of all functions and class methods of Zenphoto and all included standard plugins is generated automatically from the files via ApiGen and can be reached on a separate sub site:

Note: The old phpdoc script that formerly generated the functions documentation does not work anymore. So we cannot generate a current documentation. Sadly even the generated documentations we have don’t work anymore. The server does not like the double suffix .php.html it generated for files and rejects these. We have no control about these server setting sadly.

Instead we now generated a new documentation using ApiGen. This is focussed on object orientated code structure so the documentation is much more developer centric. Most importantly there are no links to actual files anymore. (...)

Zenphoto 1.4.2 BETA

We have released the last support release for the 1.4.1 stream. The Trunk branch of the Zenphoto repository (and the Trunk nightly builds) now contain the BETA release of Zenphoto 1.4.2. Please see the draft release notes for details on the release.


Zenphoto is a minor bugfix release of the recent 1.4.1 branch.

As usual we recommend all users upgrade for the latest updates and fixes. See the changes on trac for more information.


Use for installations where the caching of pages is causing problems of expired pages being delivered.

In its default configuration this plugin will prevent caching of all Zenphoto pages by any caching agent in the path.



Allows an under-priviledged user to create a root level album. This album is then assigned in the users managed albums list.

The User interface appears on the user tab in the "custom data" area when an enabled user is logged in. Candidate users must have Album and Upload rights. Users with Admin right or Manage all album rights can already make root level albums, so are excluded from this plugin.


A few theming tutorial updates

We have updated our theming tutorial a little. Bascially just two things are new:

  1. New code examples that provide an more complete overview of the core structure of standard theme files. These are also provided as downloads as a kind of quick start kit.
  2. A code highlighter that should make reading easier (this one is actually site wide).

Anyway, if you feel any part on our documentation lacking detail or else, we are an open source project anyone can contribute to. You find all info how to contribute on our "Get involved" page.


Zenphoto is a minor bugfix release of the recent 1.4.1 branch.

As usual we recommend all users upgrade for the latest updates and fixes. See the changes on trac for more information.

Using tinyZenpage

This is a plugin to the TinyMCE plugin and was introduced with the Zenpage CMS plugin. It provides access to your Zenphoto albums and images as well as Zenpage pages, news articles and news categories to easily include them into your pages and articles. Depending on the configuration file chosen you can do the same of course for album and image descriptions, bascially all content fields that support TinyMCE.

Obviously inspired by ZenphotoPress by Alessandro "Simbul" Morandi


You can include links to articles, categories and pages into any field with an active tinyMCE editor:

  • Direct links to pages, news articles and news categories with the title as link text
  • Links and linked images to your albums and images

For images and albums you also have these (...)