1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo Media Gallery 1.0.10 Released (Security Fix)

Discussion in 'Announcements' started by XenForo, Aug 30, 2016.

  1. XenForo

    XenForo Company Info Staff Member

    In order to apply the security fix included in XenForo 1.4.13 or 1.5.10 to XenForo Media Gallery 1.0, XenForo Media Gallery 1.0.10 has been released.

    This fixes the server-side request forgery (SSRF) security issue. This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.

    This is a potentially serious issue and we strongly recommend all customers running XenForo Media Gallery 1.0 follow one of the below methods to fix this security issue. You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements for this patch to be effective.

    Please note that XenForo Media Gallery 1.1.5 and newer will automatically be secured from this issue if you follow the instructions in the XenForo 1.5.10 release announcement.

    If you have any questions relating to installing this patch or upgrading to the new version, please post in the Media Gallery Support forum.

    Method 1: Upgrade to the New Version (Recommended)

    The security fix can be applied by downloading XenForo Media Gallery 1.0.10 from your customer area and upgrading XenForo Media Gallery as normal.

    You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.

    Method 2: Install the Patch

    Download the patch zip file attached to the end of this message. It contains 4 files:
    • library/XenGallery/Helper/String.php
    • library/XenGallery/Model/File.php
    • library/XenGallery/Thumbnail/Abstract.php
    • library/XenGallery/ViewPublic/Media/PreviewVideo.php
    These 4 files should be uploaded to your server, overwriting the existing files of the same names.

    You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.

    Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.
     

    Attached Files:

Share This Page