1.0.7 Released with important security fix. UPGRADE now!

Hi everyone,

nicosomb discovered quite a bad security bug today, and I'm releasing a fix tonight (1.0.7) that will take care of it completely. Until then, if you have a 1.0.4, 1.0.5, or 1.0.6 installation, you should patch it yourself if you can.

The fix: (EVERYONE SHOULD DO THIS if you're running 1.0.4-1.0.6)

Edit: Upgrade to 1.0.7!

That should do it! The security problem is that it allowed directory listings using the '..' (up directory) directory which was not filtered out. NO FILES COULD BE ACCESSED by this method, only directory listings, and only for directories accessible by the web server. This flaw is not susceptible to exploitation of a web server or your zenphoto installation; it only shows relative folder names in the structure of your site.

Very sorry, this was entirely my fault... fortunately it seems no real harm may be done.

Note also this only affects versions greater than 1.0.4, where the sub-albums backend code is present. It is fixed after and including 1.0.7. Please upgrade today!

Comments

  • great! nice job ;) !!
  • Thanks nicosomb.
  • As a little side note, if you do perform this patch, it's probably a good idea to slightly modify your functions.php file at line 12 or so to read:

    // Set the version number.
    $_zp_conf_vars['version'] = '1.0.6+patch';

    That way you can keep track of your patched installations (if you have multiple ones) and keep your versioning straight.

    This is of course optional, but makes it easier to recognize the patched versions at a glance.
  • Was 1.0.7 ever officially released? It seems that the main page still mentions (and accesses) the 1.0.6 download archive.

    I've added the mentioned security patch to my 1.0.6 installation, but would prefer to move to 1.0.7 if I could find the download archive.

    Thanks for any assistance.

    Jeff
  • It's up. In case you don't see it try refreshing the browser cache.
  • Thanks For This Patch! :D
  • Silly me - it was a browser cache issue. A simple refresh fixed things up. Thanks JayRay...

    Jeff
  • What is the recommended upgrade procedure? I don't want to overwrite any configurations I've already made. Should I just punch in the fix as detailed in the "discovered quite a bad security bug today" thread above, or should I install from the the 1.0.7 zip file I've downloaded

    Thanks
  • Never mind, I see the Quick Upgrade Instructions below the link. Oops!
  • guys, please update your zipfile on the homepage... There is something wrong with it! i really want to try it but cant because the files wont unzip\

    Send me an email when you are done? Thanks!!
  • Try updating to a new version of winzip or winrar.. I am having no problems with it on my side(just tested xp's zip extractor, latest winzip and latest winrar(any my older version of winrar)). Please update software and try and re-download zenphoto and let us know if that works.
  • well i tried it a tenth time... XP's extractor (updated XP) and the latest Winzip both think its not a valid archive. No files to unzip...

    Can you email me the file?
    foto [at] renedenengelsman [dot] nl

    this is the winzipmessage: www.renedenengelsman.nl/tiseenplaatje/winzip.jpg

    Thanks!!
  • emailed...
  • I downloaded it twice today with absolutely no errors. As an alternative, I have a cache of files on my site at http://www.thinkdreams.com/files which you can grab the latest zenphoto from (in case anyone else has download and extraction issues.)
  • trisweb Administrator
    It's weird that people are having archive problems... it seems like my server might be to blame. I'll try to mirror it somewhere else as well.
Sign In or Register to comment.