+- ZenphotoCMS Forum (https://forum.zenphoto.org)
+-- Forum: Support (https://forum.zenphoto.org/forum-1.html)
+--- Forum: General support (https://forum.zenphoto.org/forum-4.html)
+--- Thread: upload exploit in version 1.1.5 (/thread-4742.html)
upload exploit in version 1.1.5 - steamas - 23-02-2009
hi everybody,
long time ago i launched a gallery using zenphoto version 1.1.5, since then it ran successfully until now:
i discovered that some malicious *.php files where uploaded to it, thus i'm interested to find out in which way was it done. server logs didn't show anything use full at all, server account wasn't hacked(or it seams so), site contained only zenphoto gallery.
my question would be, if there was some exploit that could allow writing files into web directory, or would it be possible if someone knew zenphoto gallery users account?
upload exploit in version 1.1.5 - acrylian - 23-02-2009
Please read this: http://www.zenphoto.org/2008/08/troubleshooting-zenphoto/#29
Also maybe consider to upgrade since we don't support 1.1.5 anymore.
upload exploit in version 1.1.5 - steamas - 23-02-2009
i'm considering upgrading, but before that, i just wanted to know if it's some kind of zp exploit or other security leaks.
upload exploit in version 1.1.5 - acrylian - 23-02-2009
None know to us but you might consider to upgrade to the nightly build as we fixed one issue last week. You can read about it here: http://www.zenphoto.org/support/topic.php?id=4960 (otherwise a forum and site search is always a good idea...)
upload exploit in version 1.1.5 - steamas - 23-02-2009
ok, thanks for ideas. and yes.. i googled half day about this problem, and found only problems with sql injection, which where fixed in recent updates if i understand correctly.