Home
Moa
An easy to use open source
image gallery for PHP/MySQL
username: admin
password: admin
Moa 1.2.0b released [Friday, 28 August 2009 10:20] E-mail
Written by Richard Talbutt   

A route to use one of the 3 exploits we patched was found remaining in a handful of the sources/page_*.php files. We had fixed them to guard against exploits if correctly included from the main index.php. However not if included directly which left them open. The particular exploit allowed remote code to be executed on the server holding Moa but only if two out-dated options were turned on (against the defaults) or a very old version 4.x of PHP was in use. PHP 5.3+ has had the main offending option removed completely as it was a common security issue. Also a bug regarding a fresh install was found and corrected.


Many thanks to Sven over at secunia.com for pointing out these remaining holes.

 

The new downloads can be found on our Sourceforge page as usual, or direct links are here -

 

   

As before just upload over the top of 1.2.0 or 1.2.0a, no upgrade needed. If you have a previous version of Moa just upload and follow the update link at the top of the page. No new features are added from the default 1.2.0 install, this is purely a security release. Make sure you set permissions to allow the web server user to write to ./images and ./images/thumbs after you copy the new version or you may have problems uploading new pictures. The upgrade will check for this from version 1.2.1 onwards but is not present in 1.2.0.


A note for any future security issues. We do expect users to have a reasonably up to date server environment. Web hosts should have the dangerous options already turned off and be using a recent web server release. If you have your own server or VPN then it is pretty easy to upgrade and change the php.ini (the two options to turn off are register_globals and allow_url_include) to secure yourself.

If new Moa exploits are found that rely on known and fixable PHP/Apache flaws such as register_globals and a new Moa release is coming within a few weeks we will most likely wait and put the fixes directly into that instead rather than issue a patch.

If the next update is going to be a while or it is an issue that effects up-to-date servers then we will put out a patch ASAP like the current one.

Either way we will pass on information about possible exploits if and when we find out about them. Of course bugs in Moa will have a patch if needed.

 

If anyone finds any new problems, fell free to let us know via This e-mail address is being protected from spambots. You need JavaScript enabled to view it

 
Moa 1.2.0a released [Friday, 28 August 2009 10:20] E-mail
Written by Dan Brown   

This is a quick bugfix release to fix the following holes found by the security community -

Two of the three only took effect if you had PHP register_globals turned on which is against the PHP defaults nowdays and unlikely to be needed by anything. The third was an SQL injection vulnerability which had very limited scope to do anything malicious as the results are not echoed anywhere on the screen. It was limited to selecting data and not inserting or adding anything. It is our belief that all three exploits are fairly low risk, however you should upgrade to 1.2.0a to remove the chances of anything happening. We have also patched a number of similar routes that could be used to exploit the same behaviour.

 

If anyone finds any new problems, fell free to let us know. I can be contacted at This e-mail address is being protected from spambots. You need JavaScript enabled to view it

 

The new downloads are -

Just upload over the top of 1.2.0, no upgrade needed. If you have a previous version of Moa just upload and follow the update link. No new features are added from the default 1.2.0 install, this is purely a security release.
Last Updated on Wednesday, 09 September 2009 22:06
 
Security exploits [Thursday, 27 August 2009 23:00] E-mail

We have been informed of 3 vulnerabilities in Moa that have surfaced within the last 2-3 days. These could allow malicious people to get access to files or alter the database.

 

We have been working on fixes and have 2 of the exploits plugged. We are working on the third now, but as we need to test the fixes thouroughly before releasing them as they may break other things. Unfortunately we are both working tomorrow so it is likely to be Friday night or Saturday morning before we get this patch released. We are working on it though. I have taken the demo offline until we get fixes in place as this is the most public moa site.

 

Thanks to the security community at large for submitting these exploits, it is much appreciated and we have fixed several other gaps we found as well.

Last Updated on Thursday, 27 August 2009 23:17
 
Moa 1.2.0 Released E-mail

At last, 1.2.0 is out!

As well as putting in full template support, we took the time to make the HTML/CSS code much nicer. Gone are the nasty old table-based layouts, replaced by (mostly) semantically correct, maintainable and fairly clean markup. IE6 support is still lacking a bit but it does work and should be back  before long. We would love to drop it completely but galleries are something that may be viewed at work and sadly IE6 is still being forced on people there.

We are working on a template writing pack to be relased shortly which will help anyone that wants to create their own. You will need to know real HTML and CSS - this will not work in page builders such as Dreamweaver (although they could be used to help) as we use fragments of code rather than a full page at a time.

Also new are some navigation links on the image pages to go forward and back in the current gallery and view them full sized and a few speedups.

Let us know what you think of the new templates in the comments below or by email via the links on the sourceforge project page (click the sf logo at the top).

Lastly, we have decided to change the release system a bit from here on. Rather than big 1.x releases every few months we are aiming for 1.x.y releases ever few weeks. This lets new features out faster and keeps us on our toes...

Release notes are here.

Last Updated on Tuesday, 21 July 2009 23:35
 
Moa 1.1 released [Tuesday, 31 March 2009 09:34]

The rewrite is over and version 1.1 is out!

 

While this was mostly re-organizing the code there have been a few new features which can be seen in the release notes here.

 

Now we can start working on proper new features for 1.2. The first main one is the template system.

 
«StartPrev12NextEnd»

Page 1 of 2
Powered by Joomla!. Valid XHTML and CSS.