Photopost VBGallery Security Hole

Discussion in 'Security' started by mneylon, Jan 9, 2008.

  1. mneylon

    mneylon Administrator Staff Member

    Just got this:

    This bulletin affects all versions of PhotoPost vBGallery prior to 2.4.2
    but does not affect PhotoPost Pro, ReviewPost, or PhotoPost Classifieds.

    We recently became aware of a new exploit that hackers have created in
    order to upload and attempt to execute php scripts on a webserver using
    vBGallery. The exploit essentially involves uploading a PHP script
    disguised as an image file, using a filename that contains a ".php.gif", "
    php.wmv" or a similar file extension in order to manipulate or trick the
    Apache webserver into executing the script as a PHP program. Ultimately,
    this is a security flaw in the Apache webserver and has the potential to
    affect any software that handles user file uploads, not just vBGallery, but
    we have patched vBGallery and released 2.4.2 to prevent this issue from

    Please visit our forum to read the complete bulletin, see instructions on
    updating to vBGallery 2.4.2 for vBulletin 3.6 and 3.7 (or manually patching
    older versions of vBGallery against this potential exploit), and read about
    the provided "clean.php" scanner script used to look for potential

    ".php.gif" type file uploads:
    PhotoPost vBGallery Important Security Bulletin - PhotoPost Community

Share This Page