Security alert - Part 2 (update 2) 10 November 2011
Sadly we had to learn that the vulnerability we reported yesterday was apparenlty only one and the whole file manager tool seems to be unsecure unnoticed.
We are really sorry for the issues. But we neither have/had resources to do a deep security checks on used/adapted 3rd party tools nor to write everything ourself. We are dependend on those 3rd party tools to adapt. We are now searching for a replacement.
Therefore, we urge you all strongly to remove the file manager in queston completely from your installs. This possibly might affect releases beginning with Zenphoto 1.2.4 (or 1.2.1 if you use that with the then independent Zenpage plugin which included the file manager and tinyMCE first). But you really should not be on these old version anyway. You find the file mananager on your install here:
Remove the folder ajaxfilemanager completely. It is also recommend to replace the two TinyMCE config files for Zenpage that use the file manager with the ones found at the bottom of this page. Replace the files of the same name within (1.4.1.x versions):
Note: Still also lax server file/folder permissions can be involved additionally in the recent hacks as our own site gladly has not been hacked so far (we have pretty strict permissions even Zenphoto's own setup cannot change). So check your permissions. Info on those are found here: Permissions for Zenphoto files and folders.
Also check your .htaccess files as on some hacked sites these were modified (We don't know if that is a coincidence or the same security hole exploited).
Update: On both svn repositories the file manager has been removed and the config files update.
Update 2: Our user jest3r- has provided an attempt of an detailed analyis:
We now also provide the complete TinyMCE plugin without the file manager for download for your convenience.
Download TinyMCE config files for Zenpage
The files have been removed. Upgrade to the current Zenphoto release or at least 22.214.171.124.