In order to apply the security fix included in XenForo 1.4.13 or 1.5.10 to XenForo Media Gallery 1.0, XenForo Media Gallery 1.0.10 has been released.
This fixes the server-side request forgery (SSRF) security issue. This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.
This is a potentially serious issue and we strongly recommend all customers running XenForo Media Gallery 1.0 follow one of the below methods to fix this security issue. You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements for this patch to be effective.
Please note that XenForo Media Gallery 1.1.5 and newer will automatically be secured from this issue if you follow the instructions in the XenForo 1.5.10 release announcement.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Media Gallery Support forum.
Method 1: Upgrade to the New Version (Recommended)
The security fix can be applied by downloading XenForo Media Gallery 1.0.10 from your customer area and upgrading XenForo Media Gallery as normal.
You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.
Method 2: Install the Patch
Download the patch zip file attached to the end of this message. It contains 4 files:
You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.
Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.
This fixes the server-side request forgery (SSRF) security issue. This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.
This is a potentially serious issue and we strongly recommend all customers running XenForo Media Gallery 1.0 follow one of the below methods to fix this security issue. You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements for this patch to be effective.
Please note that XenForo Media Gallery 1.1.5 and newer will automatically be secured from this issue if you follow the instructions in the XenForo 1.5.10 release announcement.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Media Gallery Support forum.
Method 1: Upgrade to the New Version (Recommended)
The security fix can be applied by downloading XenForo Media Gallery 1.0.10 from your customer area and upgrading XenForo Media Gallery as normal.
You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.
Method 2: Install the Patch
Download the patch zip file attached to the end of this message. It contains 4 files:
- library/XenGallery/Helper/String.php
- library/XenGallery/Model/File.php
- library/XenGallery/Thumbnail/Abstract.php
- library/XenGallery/ViewPublic/Media/PreviewVideo.php
You must also follow the instructions in the XenForo 1.4.13 or 1.5.10 release announcements to fully fix this issue.
Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.