XenForo Media Gallery 1.0.8 Released (Security Fix)

We have recently become aware of a security issue relating to a third-party library included with XenForo Media Gallery and have released a patch to resolve this issue. The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions). We recommend all XenForo Media Gallery customers use one of the methods described below to resolve this issue and improve their security.

We would like to thank @TickTackk for bringing this to our attention.

If you have any questions regarding this patch, please post in the Media Gallery Support forum.

Method 1: Install the Patch

Download the patch zip file attached to the end of this message. It contains 2 files:
  • js/xengallery/media_add.js
  • js/xengallery/min/media_add.js
These 2 files should be uploaded to your server, overwriting the existing files of the same names.

Note that with this method there is no outward indication that the patch has been applied.

Method 2: Upgrade to the New Version

The security fix can be applied by downloading 1.0.8 from your customer area and upgrading XenForo Media Gallery as normal.

Customers Running XenForo Media Gallery 1.1.0 Beta 1

The security issue affects this version as well but requires different changes. These will be fixed when 1.1.0 Beta 2 released at its normal time. As we do not recommend running beta versions in production, you should simply be able to wait until the next release for the fix. However, if you must apply a fix now, please click the button below for patching instructions. Note that this is not a method we can officially support.

The following instructions apply only if you are running 1.1.0 Beta 1. If you are running any other previous version, you should use one of the above methods.

To manually patch, you can use the version of several JS files currently available here. Follow each link and save the page as the named file:
 

Attachments

Top Bottom