Well, I have joined the ranks of sites which have recently been hacked (http://www.zenphoto.org/support/topic.php?id=9939).

One of the sites is my primary, and I had updated it yesterday to the 1.4.2 beta which has the fix for the known ajaxfilemanager vulnerability. Since the site was running yesterday I have to assume that the hack did not use that path.

I have made a quick look at the ajaxfilemanager implementation. To the best of my knowledge there is no "security" on what it might do if someone directs a URL properly at one of its component files.

Therefore, I strongly recommend that the ajaxfilemanager folder be deleted from your sites.

We will continue to investigate and see if there is a fix for this. But since it is not our code, the understanding and correction may take a while.

sbillard, which folder should I delete? pls advise.

Please share with us how zenphoto.org is immune to this attack.

To be blunt, I am pissed subscribers were not warned about this as you claim in the "news" this was discovered awhile ago. To be blunt again, I am pissed that when discovery that the current release is vulnerable as well, everything is silent.

And my post gets moderated....get with the times guys

gjr, we are really sorry that you are pissed of. The issue had been reported to us and we fixed what has been reported. We had undiscovered security issues (note this is a 3rd party tool!) that had been closed and were not exploited. Actually we did not consider this issue that important as the file manager is not an "outside" tool. Being a 3rd party tool how should we have known that it is that vulnerable in general? We really can't check every tool or even write it ourselves...

Thus the 1.4.1.5 release. We did not advertise as that would people get a real idea. The advertising of this has been done by these security sites.

I will post soon about to remove the file manager (if that is it actually). Note that sbillard and I are in different time zones so there is a overlap no one of us is available. And it is just us two!

PS: To the moderation. Well, blame it to the forum software which lets get a lot of spam throuh otherwise. You should not be moderated as frequent post, again a fault of the forum software.

I too have been hacked which has in turn then propogated to my other wordpress sites.
Do you have any assistance on this matter as I'm pretty new to self hosting and hostmonster refuse to assist
What folder should be removed?
Kind Regards

Please see our news section. That is all we know (there are several ways these hacks can happen).

Does upgrading to 1.4.1.5 solve this or do i follow the instructions to manually remove?

where i do to put the zenpage-default-*.js.php ??? (on archive tinymce-zenpage-config-replacement.zip) !

Oh, sorry, forgot to add that bit of info. within the config folder of the tiny_mce folder.

Does upgrading to 1.4.1.5 solve this or do i follow the instructions to manually remove? Can you help, please?

It seems that the fix we did fixed not all that is insecure in that file manager. So follow the instructions of the 2nd part of the security alert.

It's writing to Download the archive .zip, but not where put-it ?!

It's writing to Download Archive .zip ... but not where to put on the webgallery site ?!

Hi again, a few info more about my hack.
At a first time I got all php files hacked with the code you know.
I editet index.php just to show to the visitors that a mainteinance was going on.
At a later time, few hours later, the .htaccess file was hacked too and this is very strange beacuse the permissions on it where r-r-r, so i guess something has the control over my server, is that possible?
I deleted the hacked .htaccess and replaced it with a new one from a backup but then again it changhed to the hacked version.
Any ideas?

Should i upgrade first then do the fix or can i fix then upgrade.
Sorry to be a pain. Does seem logical to upgrade first then fix but just confirming.

Actually we always recommend upgrade. Note that we don't know what actually these hackes (it seems to be two actually according to report that can happen on otherways). The best is to upgrade and therefore replacing the files with fresh surely not hacked ones and then remove the file manager completly.

@huste: I updated the post. Note it is not required to update the files. All they do otherwise is add a box on the tinymce image plugin to call the file manager. This will run into a 404 without the update. If you don't use it you won't even notice.

I thinks : it's very better that delete all directories and php script files... and others that not images.

The attacker take control on all sites that you manage ; he go up at your root directory!!!

But, how can be sure that datas in mysql are not corrupted ?

Please, can somebody explain me how can a file .htaccess with r-r-r permissions be changed in any way without a server control?
What if I upgrade, follow the further suggestions about tinymce and then the problem is still on the provider's server?