X3Photo Gallery Forums
X3 Photo Gallery Support Forums
DELETED Topic is solved 3 posts
All the security issues were fixed back in February over half a year ago with the release of Imagevue 16.2. Read news here: https://www.photo.gallery/news/9/
It was not a good thing ofcourse, and I guess I wasnt aware of the amount of people who live to create havoc with other peoples pages. At the time it occurred, I recieved emails from several "hackers" who seemed to consider it a trophy to have been the one to have disovered the security hole. I did reply one or the other, but certainly not all that tried to take claim. Excuse me, but its pretty pathetic -
Its also a pity that some of the posts about security issues still prevail, and that some people dont bother to check for updates, as it is secure now.
The holes that could be used in the earlier non-secure versions, were the following:
#1 External user could access upload script and upload file without password. This could be used to upload other PHP scripts if the folder had the right permissions. Depending on the server, this PHP script could then be used to spy on the server folder structure, and on some servers, even be used to delete files on parent folders.
#2 Not as critical, but scripts dirxml.php and readfolder.php could be used to spy on file structure of a server.
The abundant fixes since version 16.2 are:
#1 External user can no longer upload files without password
#2 Only a few file types are allowed for upload (jpg/gif/png)
#3 upload will not work for parently recursive to the content folder
#4 dirxml.php and readfolder.php can not be used to read content on parent folders
#5 dirxml.php and readfolder.php are restricted to read certain filetypes (mp3, jpg, txt)
To anyone who has been so unlucky as to have been affected by this earlier issue, our apologies. Please understand that these issues now are history.
It was not a good thing ofcourse, and I guess I wasnt aware of the amount of people who live to create havoc with other peoples pages. At the time it occurred, I recieved emails from several "hackers" who seemed to consider it a trophy to have been the one to have disovered the security hole. I did reply one or the other, but certainly not all that tried to take claim. Excuse me, but its pretty pathetic -
Its also a pity that some of the posts about security issues still prevail, and that some people dont bother to check for updates, as it is secure now.
The holes that could be used in the earlier non-secure versions, were the following:
#1 External user could access upload script and upload file without password. This could be used to upload other PHP scripts if the folder had the right permissions. Depending on the server, this PHP script could then be used to spy on the server folder structure, and on some servers, even be used to delete files on parent folders.
#2 Not as critical, but scripts dirxml.php and readfolder.php could be used to spy on file structure of a server.
The abundant fixes since version 16.2 are:
#1 External user can no longer upload files without password
#2 Only a few file types are allowed for upload (jpg/gif/png)
#3 upload will not work for parently recursive to the content folder
#4 dirxml.php and readfolder.php can not be used to read content on parent folders
#5 dirxml.php and readfolder.php are restricted to read certain filetypes (mp3, jpg, txt)
To anyone who has been so unlucky as to have been affected by this earlier issue, our apologies. Please understand that these issues now are history.