Hi everyone,
nicosomb
discovered quite a bad security bug today, and I'm releasing a fix tonight (1.0.7) that will take care of it completely. Until then, if you have a 1.0.4, 1.0.5, or 1.0.6 installation, you should patch it yourself if you can.
The fix: (EVERYONE SHOULD DO THIS if you're running 1.0.4-1.0.6)
Edit: Upgrade to 1.0.7!That should do it! The security problem is that it allowed directory listings using the '..' (up directory) directory which was not filtered out. NO FILES COULD BE ACCESSED by this method, only directory listings, and only for directories accessible by the web server. This flaw is not susceptible to exploitation of a web server or your zenphoto installation; it only shows relative folder names in the structure of your site.
Very sorry, this was entirely my fault... fortunately it seems no real harm may be done.
Note also this only affects versions greater than 1.0.4, where the sub-albums backend code is present. It is fixed after and including 1.0.7. Please upgrade today!
Comments
// Set the version number.
$_zp_conf_vars['version'] = '1.0.6+patch';
That way you can keep track of your patched installations (if you have multiple ones) and keep your versioning straight.
This is of course optional, but makes it easier to recognize the patched versions at a glance.
I've added the mentioned security patch to my 1.0.6 installation, but would prefer to move to 1.0.7 if I could find the download archive.
Thanks for any assistance.
Jeff
Jeff
Thanks
Send me an email when you are done? Thanks!!
Can you email me the file?
foto [at] renedenengelsman [dot] nl
this is the winzipmessage: www.renedenengelsman.nl/tiseenplaatje/winzip.jpg
Thanks!!