Upgrade from 1.4.1.6 to 1.4.2 - Install problems

Soleil

I tried to upgrade to 1.4.2 but get always the information

"Forbidden

You don't have permission to access /albums/zp-core/setup.php on this server".

N.B. ZenPhoto has been installed in "albums".

I reinstalled ZenPhoto three times now, but get always the same information.

acrylian

Well, the file/folder permissions are not set correctly. Please see the troubleshooting on this.

Soleil

Thanks acrylian.

I put the permissions on 777 for "albums" and for ".htaccess", but keep getting the same error message. Should I change permissions anywhere else ? On all forders and files?

acrylian

You need to fix the permissions on "/zp-core" as the error indicates. 777 is pretty insecure though. So if you really need to do that on setup set them to more secure settings afterwards (see the troubleshooting already referred to).

Soleil

Thanks again acrylian.

In the meantome I put the permissions to 644 for files and to 755 for directories as you suggest in the troubleshooting. I managed to run the setup.

I found my albums again. But the images do not display. I see only their names. What to do?

acrylian

Please see your server's error log.

Soleil

Through my host, I can get only yesterday's error logs and I do not know how to get error logs through MySql. Is there another way in (ZenPhoto)to see the error logs?

acrylian

There is no way to get the server error logs through Zenphoto. You have to ask your provider.

Soleil

In the meantime, I managed to display the picture. For some reason, the permissions on my "albums" in the zenpage were set 755 instead of 755.

But CATASTROPHE! I got hacked again. And again my pages point to <link removed>

acrylian

permissions on my "albums" in the zenpage were set 755 instead of 755.</blockqute>
A typo maybe?

Sorry about the new hack - we don't know if it is the same - but this can happen if the file/folder permissions are set to lax or because of numerous other things. Best contact you host as well.

Soleil

I meant "...750 instead of 755".

I have pages (Zenpage) introducing each album and on these pages there is a link like the following. Do you think it is dangerous ?

`???`

acrylian

That link is a normal non-modrewrite link to an image name BBBB.jpg in album AAA. Unless the site referred is not yours that is surely not dangerous.

Soleil

I am very thankful to you for answering so quickly. I'll write to the server host again, but last time, a few weeks ago, the answer was that is a known ZenPhoto problem.

The hacker manages to modify the .htaccess and to write into it the following (several times):

`ErrorDocument 400 <link removed>

The same happens in the .htaccess in the folder "albums"

sbillard

I your site was hacked by the original attack it is necessary to remove all the script and htaccess files as they may have been conpromised. If you have not done that, the hacker still has access to your site.

As to the 0750 permissions--that will cause any direct link to fail since the final digit prohibits access by the public.

acrylian

I removed the link again. We don't want to send them traffic or have our ranking hurt by linking to them.

Soleil

Thanks acrylian and sbillard !

Yes of course, I had cleaned my site thoroughly and I will clean it again. Let's hope I'll get rid of this nuisance. I'll let you know.

saltmine

Hey just had this happen to my site and thought I would contribute. In my case the hacker also uploaded two php files in various directories (same files each time). They seemed to be added to my sites root directory and the root of the zenphoto directory along with the first directory (alphabetically) in each zenphoto subdirectory.

I have gone through and removed all .htaccess files except for the one in the zenphoto directory - is there any way to generate a new one through zenphoto?

However, my site is still being redirected to site mentioned when access through a search engine. Is this something that google / bing is caching?

sbillard

If you just remove it and run setup you will be given an option to have setup create a new one.

Soleil

Maybe some know about it, but as for me I just found out that FileZilla has a search feature for remote files. Very useful, especially because it shows also the modification date and the file size and you can delete the files from the search window.

I found 12 htaccess files modified by the hacker on my server !!!!

Good to search also above www

I go on with my cleaning.....

acrylian

That is surely a good idea. Zenphoto has only a root htaccess file by default.

saltmine

So I was able to fix my site for now.

In case it helps anyone else I had to remove yet another .hataccess file from my server's root directory and also the "www" file mentioned by Soleil above (THANKS!). Seemed to be this file doing the redirecting. WHAT A HASSLE!

Soleil

Well, it looks as if I had managed too. At least for one of my sites. I had four that had been hacked.

Question I: I did not change my password to phpMyAdmin/MySql yet for some of my sites. If I do it, what would happen on an installed, working site with ZenPhoto? Do I have to run the setup again and make all the styling changes again?

Question II: Is there a way to know whether you have made changes in a new version to php files like: image, album, gallery, search... conatained in a theme?

@saltmine: I am happy that I could help you a little.

acrylian

1. If you change the mysql credentials you of course need to change them for Zenphoto as well. Setup will tell you if it can't acccess the database.

2. Only with a file compare.