upload exploit in version 1.1.5

steamas · February 2009

hi everybody,
long time ago i launched a gallery using zenphoto version 1.1.5, since then it ran successfully until now:
i discovered that some malicious *.php files where uploaded to it, thus i'm interested to find out in which way was it done. server logs didn't show anything use full at all, server account wasn't hacked(or it seams so), site contained only zenphoto gallery.

my question would be, if there was some exploit that could allow writing files into web directory, or would it be possible if someone knew zenphoto gallery users account?

acrylian · February 2009

Please read this: http://www.zenphoto.org/2008/08/troubleshooting-zenphoto/#29
Also maybe consider to upgrade since we don't support 1.1.5 anymore.

steamas · February 2009

i'm considering upgrading, but before that, i just wanted to know if it's some kind of zp exploit or other security leaks.

acrylian · February 2009

None know to us but you might consider to upgrade to the nightly build as we fixed one issue last week. You can read about it here: http://www.zenphoto.org/support/topic.php?id=4960 (otherwise a forum and site search is always a good idea...)

steamas · February 2009

ok, thanks for ideas. and yes.. i googled half day about this problem, and found only problems with sql injection, which where fixed in recent updates if i understand correctly.

Zenphoto

Quick Links

Categories

Problems? Lost?

Need project help?

Like using Zenphoto? Donate!

upload exploit in version 1.1.5

Comments

RSS feeds!

Social networks

Join the Google Group!

Information

Legal stuff