Quote:

Ill give this a try in a 4 year old established site and see what happens. sence its attacked on a daly basis.


@ Billy

Moving to a new galley setup would be the best idea, but some people have grown acustom to there setup, and some times those setps,gallerys can contain well over a few gigs in picutes, lol time and money they wish not to spend on a transfer, money they wish to invest into makeing the cerrent setup work.

@ BS

Ill check these out, from what ive been reading 2.1B4 doesnt have this isue. so im looking for this version to test out.

@ all

Please go to the following link and read it.
http://www.securityfocus.com/bid/27155

this isue has been noted by others,meaning little time till it becomes a large problem. to find a fix or repair is in high demand.


Marc

Hi:

I am Jose Espinoza (josespi) and for some time I took the project leadership xoopsgallery.

The report vulnerability of xoopsgallery 1.3.3.9 came together with the notification to the administrator of the server that our site was being used for a site of pishing who had inserted files in folders templates_c for their crimes.

The administrator of the server close the site xoopsgallery.org, while performing the tasks of cleaning. Therefore I have no access.

As the version 1.3.3.9 seemed stable enough, I concentrated on the development of version 2.1 and now I don´t have further access to backup that I have the vulnerable version for an update.

I also hope, as soon as possible, opening a space in sourceforge for xoopsgallery, and launch the upgrade.

Thanks

I encountered this problem too. I'm using a version 1.3.3.
I think to fix the issue, the extact() in init_basic (in my version, it is init.php) should be modified to include the option EXTR_SKIP. By this way, parameter from URL cannot overwrite program's internal variable (especially GALLERY_BASEDIR).

On my version, i need to modify init.php and check_init.php. You may search all PHP file to locate the "extract(" and then change it.

Quote:

Hope this help

Quote:

Absolutely, definitely and most categorically.....NO!!!

If users are looking for stable, secure and well featured gallery module than they should, IMHO at the present time, look at both xcgallery and extgallery.

Both are really good but have different features - choose the one that suits your needs best.

Well we have to consider that people's needs may vary