Important Zenphoto 1.0.7 Release 27 January 2007
Zenphoto 1.0.7 has been released tonight with one small change — an important security fix for a problem with upwards directory traversal using “..” as the album name. I’ve simply filtered it out (in two places) and it shouldn’t be a problem again. Thanks to nicosomb for reporting this on the forums.
Everyone using any previous version should upgrade as soon as possible, though no need to worry — there’s not much risk from this bug, only the possibility of seeing folder names (and nothing else) in your web site’s directories that are accessible to your user. No files can be opened, nor any applications exploited. But upgrade anyway :-)
More on zenphoto to come.