An easy to use open source web
image gallery for PHP/MySQL
username: admin
password: admin
Moa 1.2.3 released [Saturday, 05 February 2011 15:51] E-mail
Written by Dan Brown   

Moa 1.2.3 is finally out!

Not a huge update but it still took some time. We added form validation throughout and made them a bit easier to work with in general.

We've noticed we get quite a few downloads but nobody seems to be using Moa, so it would be good to know why you have decided not to use it if you have the time. Leave a comment below. We can't make it perfect for you unless you tell us what is missing!

The best we can guess is that the tag system may be confusing people. So for the next version we are going to be making that optional and images will be attached directly to the gallery you upload them too. Tags will still be available if needed and will also be part of a search feature that will be added afterward.

1.2.2 Released [Tuesday, 16 June 2009 23:36] E-mail

Moa 1.2.2 is done and released.

Check out the release notes.

Let us know what you think. Use the comment feature on this post or email Dan directly.

1.2.1 Released [Tuesday, 15 December 2009 22:03] E-mail
Written by Dan Brown   

Moa 1.2.1 is finally out.

The main new features  are an options page and png/gif support with a few other niceties and bug fixes thrown in.

See the release notes above a bit more info.

As usual let us know if there is anything we can do to make Moa better or your gallery-life easier. Use the comment feature on this post or email Dan directly.
Site down [Saturday, 05 December 2009 12:07] E-mail
Written by Dan Brown   

Looks like the site is mostly up and running now, although not the demo yet. Will sort that out tonight when I get home from work.


Our web hosts (Webfusion UK) decided that not only would they move our VPS node to a new data centre but break the config so badly that a web-fased file manager was the only possible way to interact with it, and then ignore all support requests. So we are now back on the old hosts until we can get a new VPS with a company that believes in customer support.


[edit] All running again now

Moa 1.2.0b released [Friday, 28 August 2009 10:20] E-mail
Written by Richard Talbutt   

A route to use one of the 3 exploits we patched was found remaining in a handful of the sources/page_*.php files. We had fixed them to guard against exploits if correctly included from the main index.php. However not if included directly which left them open. The particular exploit allowed remote code to be executed on the server holding Moa but only if two out-dated options were turned on (against the defaults) or a very old version 4.x of PHP was in use. PHP 5.3+ has had the main offending option removed completely as it was a common security issue. Also a bug regarding a fresh install was found and corrected.

Many thanks to Sven over at secunia.com for pointing out these remaining holes.


The new downloads can be found on our Sourceforge page as usual, or direct links are here -



As before just upload over the top of 1.2.0 or 1.2.0a, no upgrade needed. If you have a previous version of Moa just upload and follow the update link at the top of the page. No new features are added from the default 1.2.0 install, this is purely a security release. Make sure you set permissions to allow the web server user to write to ./images and ./images/thumbs after you copy the new version or you may have problems uploading new pictures. The upgrade will check for this from version 1.2.1 onwards but is not present in 1.2.0.

A note for any future security issues. We do expect users to have a reasonably up to date server environment. Web hosts should have the dangerous options already turned off and be using a recent web server release. If you have your own server or VPN then it is pretty easy to upgrade and change the php.ini (the two options to turn off are register_globals and allow_url_include) to secure yourself.

If new Moa exploits are found that rely on known and fixable PHP/Apache flaws such as register_globals and a new Moa release is coming within a few weeks we will most likely wait and put the fixes directly into that instead rather than issue a patch.

If the next update is going to be a while or it is an issue that effects up-to-date servers then we will put out a patch ASAP like the current one.

Either way we will pass on information about possible exploits if and when we find out about them. Of course bugs in Moa will have a patch if needed.


If anyone finds any new problems, fell free to let us know via This e-mail address is being protected from spambots. You need JavaScript enabled to view it


Page 2 of 4
Powered by Joomla!. Valid XHTML and CSS.