1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo Media Gallery 1.0.9 Released (Security Fix)

Discussion in 'Announcements' started by XenForo, Jul 27, 2015.

  1. XenForo

    XenForo Company Info Staff Member

    We have recently become aware of a security issue within XenForo Media Gallery and have released a patch and new version (XenForo Media Gallery 1.0.9) to resolve this issue. We strongly recommend all XenForo Media Gallery customers follow the steps below to resolve this issue.

    The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions).

    We would like to thank @batpool52! for bringing this to our attention.

    If you have any questions relating to installing this patch or upgrading to the new version, please post in the Media Gallery Support forum.

    Method 1: Upgrade to the New Version

    The security fix can be applied by downloading XenForo Media Gallery 1.0.9 from your customer area and upgrading XenForo Media Gallery as normal.

    This release also fixes an issue with view permissions not being set on new installs for the Example Category.

    Method 2: Install the Patch

    Download the patch zip file attached to the end of this message. It contains 8 files:
    • js/xengallery/media_add.js
    • js/xengallery/media_lightbox.js
    • js/xengallery/min/media_add.js
    • js/xengallery/min/media_lightbox.js
    • library/XenGallery/ViewPublic/Media/BbCode.php
    • library/XenGallery/ViewPublic/Media/DoUpload.php
    • library/XenGallery/ViewPublic/Media/Edit.php
    • library/XenGallery/ViewPublic/Media/PreviewVideo.php
    These 8 files should be uploaded to your server, overwriting the existing files of the same names.

    Note that this patch supersedes version 1.0.8, therefore you only need to apply this patch to resolve the issues.

    Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.

    Attached Files:

    Last edited by a moderator: Jul 27, 2015
    Eagle, Puntocom, Robru and 5 others like this.

Share This Page