Security reports that do not make sense Apr 22, 2011
Probably some of you reading on Twitter have seen quite numerous (re)tweets about security issues in Zenphoto. We are little upset about the way these sites act so we feel forced to comment on these now.
There is a website that purports to be a security advisory site: High-TechBridge. But from some recent postings one really has to question what their real purpose is. If you look at their site you will see lots of claimed vulnerabilities they have discovered. Look also at the services they advertise. If the other developers experience is anything like Zenphoto's you will really have to question their motives. Especially when you consider that the site originally posts these as "preliminary" saying that they have contacted the developer ("Vendor notification: 07 April 2011"). Which they never did.
High-Tech Bridge HTB22945 reports a generic problem with PHP versions prior to 4.0. Not something that is specific to Zenphoto. Like some other well-meant but ill-conceived features (e.g. magic_quotes_gpc) this feature provides no real benefit to well written scripts but does lay itself open malicious use. It is really not practical for a script to "protect" itself from the abuse both in terms of programming effort and script performance. The proper "solution" is for this setting to remain "OFF" as it does by default in the Zenphoto minimum required version of PHP. (It is such a bad idea that it is deprecated by PHP 5.3, the current normal version.)
Another interesting scare attempt comes with High-Tech Bridge HTB22944: Path disclousure[sic] in Zenphoto. Really, what are these people thinking? If one wants to know the WEB paths used by Zenphoto one need only peruse the open source. I guess the author thinks that WEB sites should be completely obfuscated. Besides the fact that there are many more such paths easily discoverable, maybe someone should enter the URL into their browser and see what happens. (Probably too much due diligence for High-Tech Bridge!) And what is the result? A 404 error, of course, since the link is not a valid image, album, or Zenpage item.
Stay tuned for High-Tech Bridge's next startling discovery. I am certain that they can tweak their test WEB site with lax file security. Then they can post that Zenphoto does not properly protect against someone using FTP to modify its scripts. Remember, you heard it here firsts.
There is also another site Exploit Database who actually did it at least partly right by first submitting a ticket through our bugtracker so we could contact them. But then they literally spoiled it as well by publishing the issue one day after the contact, before we had the chance to understand or possibly fix it.
Rest assured that we take real secruity flaws seriously. The 1.3.0 release and its updates were specially to address some serious cross site reference problems. We continue to make fixes as we are made aware of issues. For instance, the nightly build and (when we make it, 22.214.171.124) address the real issue noted by Exploit Database. [Of coures, the scare tactics of Hi-Tech Bridge do not warrent addressing in general. But we will add detection in Setup to let you know if somehow your PHP configuration is contaminated.]
Btw, in case you didn't know you can now contact us via a contact form on our contact page directly if you really must.