Photopost VBGallery Security Hole


Staff member
Just got this:

This bulletin affects all versions of PhotoPost vBGallery prior to 2.4.2
but does not affect PhotoPost Pro, ReviewPost, or PhotoPost Classifieds.

We recently became aware of a new exploit that hackers have created in
order to upload and attempt to execute php scripts on a webserver using
vBGallery. The exploit essentially involves uploading a PHP script
disguised as an image file, using a filename that contains a ".php.gif", "
php.wmv" or a similar file extension in order to manipulate or trick the
Apache webserver into executing the script as a PHP program. Ultimately,
this is a security flaw in the Apache webserver and has the potential to
affect any software that handles user file uploads, not just vBGallery, but
we have patched vBGallery and released 2.4.2 to prevent this issue from

Please visit our forum to read the complete bulletin, see instructions on
updating to vBGallery 2.4.2 for vBulletin 3.6 and 3.7 (or manually patching
older versions of vBGallery against this potential exploit), and read about
the provided "clean.php" scanner script used to look for potential

".php.gif" type file uploads:
PhotoPost vBGallery Important Security Bulletin - PhotoPost Community