PhotoPost Photo Gallery Sales PhotoPost Sales Toll Free Phone Number
Mon-Fri 9am-4pm EST
  PhotoPost Photo Sharing Photo Gallery    Visualize community tm
| | | | | | | | |

Go Back   PhotoPost Community > General Forums > PhotoPost Announcements

PhotoPost Announcements The latest happenings with PhotoPost products.

Closed Thread
 
Thread Tools Rate Thread Display Modes
Old January 9th, 2008, 12:06 AM   #1
ScottW
PhotoPost CEO
 
Join Date: Apr 2003
Posts: 4,759
PhotoPost vBGallery Important Security Bulletin

This bulletin affects all versions of PhotoPost vBGallery released to date.

We recently became aware of a new exploit that hackers have created in order to upload and attempt to execute php scripts on a webserver using vBGallery. The exact details of the exploit were emailed to PhotoPost customers and are available to valid license holders upon request.

Ultimately, this is a security flaw in the Apache webserver and has the potential to affect any software that handles user file uploads, not just vBGallery, but you should know that PhotoPost Pro is not affected by this particular issue.

We now have modified vBGallery in an effort to help you minimize the ability of hackers to upload these scripts. You can download this latest version of vBGallery 2.4.2 (for vBulletin versions 3.6.8 and 3.7.0 beta 3) and update your site accordingly. Update instructions can be found in our 2.4.2 announcement.

If you're running an older version of vBGallery, we also have instructions on how to manually patch the necessary files. Note that these manual instructions apply to vBGallery versions running with vBulletin 3.5.x, 3.6.x, and 3.7 only.

We are also providing a script called clean.php, attached to this post as clean.zip, that scans your vBGallery upload directories and helps remove any malicious files pertaining to this particular exploit that any would-be hacker may have uploaded. Instructions for using clean.php can be found in the included readme.txt file. You can upload the scanner script to your server and run it one time to remove any such files from your upload directories.

As an added security measure, you also can configure your Apache webserver to disallow the execution of any scripts (PHP, Perl, or otherwise) from your vBGallery upload directories if you have the expertise to do so. This is an added security measure that security conscious sites can take regardless of this new exploit, since it gives you additional protection to address potential as-yet-unknown exploits involving file uploads.

As always, we recommend that you backup your database and files on your webserver(s) now and before you run any updates, the cleaning script, or apply any other patches.

If you need our assistance to update your gallery to this newest 2.4.2 version, or to run the clean.php script, you can purchase the upgrade service and we will perform these tasks for you.

Please contact us should you have any questions.
Attached Files
File Type: zip clean.zip (1.6 KB, 100 views)

Last edited by Zachariah; January 9th, 2008 at 10:11 AM.
ScottW is offline  
Old January 9th, 2008, 08:58 AM   #2
Michael P
PhotoPost Developer
Verified Customer
 
Join Date: Jan 2002
Posts: 11,833
This will rename unwanted files on upload.
This will be added to 2.4.2
- a script to scan for existing files will follow

Edit:
forums\includes\functions_gallery_imageedit.php

Find:
1.0.0 - 2.1
Code:
Content visible to verified customers only.
2.2, 2.3
Code:
Content visible to verified customers only.
2.4 +
Code:
Content visible to verified customers only.
Replace:
Code:
Content visible to verified customers only.
Find:
Code:
Content visible to verified customers only.
Above add:
Code:
Content visible to verified customers only.
Find:
Code:
Content visible to verified customers only.
Above add:
Code:
Content visible to verified customers only.
__________________
Please do not PM me for support or sales questions. Thank you for your understanding.

Last edited by Zachariah; January 9th, 2008 at 09:14 PM.
Michael P is offline  
Old January 9th, 2008, 10:57 AM   #3
Michael P
PhotoPost Developer
Verified Customer
 
Join Date: Jan 2002
Posts: 11,833
Please use this thread for discussions about the script or changes:

http://www.photopost.com/forum/showthread.php?t=134923
__________________
Please do not PM me for support or sales questions. Thank you for your understanding.
Michael P is offline  
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Announcement: PhotoPost Immune from EXIF PHP Security Flaw Michael P General Discussion 0 December 22nd, 2004 08:10 AM


All times are GMT -5. The time now is 10:39 AM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.