PDA

View Full Version : Exploited! Now what?


Layne Smith
July 27th, 2007, 10:03 AM
Hi all,

Granted, It's my fault. I installed PhotoPost two years ago and haven't look at it since.

My host says my site was compromised using the upload function in PhotoPost.

Now, I need to upgrade but I don't even know what version I had. The exploit deleted my admin account so I can't log-in to my site. It's being restored.

I bought PhotoPost about the middle of 2005 and I need to get current. Can someone tell me what my upgrade path would/should be?

Thank you,
Layne

Chuck S
July 27th, 2007, 10:07 AM
I have never heard of any upload exploit through our program since we explicitly check filetypes but anyway your upgrade path is to download the latest of the code and upload everything except the config-inc.php file and run upgrade.php and select every upgrade you need till from your current version to the latest

Layne Smith
July 27th, 2007, 10:17 AM
Sorry Chuck. I may have mis-spoke. Here's what they sent me.

http://www.securityfocus.com/bid/20028/exploit

When I try to download the upgrade I get "No valid license type for this file." Do I need to buy something? If so, what? The $39 member renewal?

Chuck S
July 27th, 2007, 10:29 AM
Yes just purchase the members renewal

Layne Smith
July 27th, 2007, 10:43 AM
Thanks Chuck.

Layne Smith
July 27th, 2007, 11:01 AM
upload everything except the config-inc.php file "config-inc.php.NEW" IS this the one I'm not supposed to upload? Thanks.

Michael P
July 27th, 2007, 11:37 AM
You would edit the contents and upload it as config-inc.php - we put .NEW onto the end to avoid unintentional overwrites of existing files.

Layne Smith
July 27th, 2007, 11:39 AM
Ahh, I see. Thank you.

Layne Smith
July 27th, 2007, 02:38 PM
Okay, dumb question. When I drag all those files, except for the config ones, will that replace my existing photos? Or are the actual images and thumbs and stuff saved somewhere else? If so, where?

Thanks,
Layne

Chuck S
July 27th, 2007, 03:07 PM
No that just updates your old files to the newer ones you still need to run the upgrade script. Upgrade documentation is in the documentation folder of the download