1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo Media Gallery Security Patch (1.0.1a)

Discussion in 'Announcements' started by XenForo, Dec 29, 2014.

  1. XenForo

    XenForo Company Info Staff Member

    We have recently become aware of a security issue relating to a third-party library included with XenForo Media Gallery and have released a patch to resolve this issue. The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions). We recommend all XenForo Media Gallery customers use one of the methods described below to resolve this issue and improve their security.

    If you have any questions regarding this patch, please post in the Media Gallery Support forum.

    Method 1: Install the Patch

    Download the patch zip file attached to the end of this message. It contains 3 files:
    • js/xengallery/media_share.js
    • js/xengallery/ZeroClipboard.swf
    • js/xengallery/min/media_share.js
    These 3 files should be uploaded to your server, overwriting the existing files of the same names.

    You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)

    Method 2: Download XFMG 1.0.1a and upload all files

    The version of XenForo Media Gallery has been updated in the customer area to 1.0.1a to indicate that the patch has been applied to the original version of 1.0.1. (Please note that the version number listed in the XenForo control panel will not change. You can confirm that you have downloaded 1.0.1a by looking at the file name of the zip containing the XFMG files.)

    The patch can be applied by downloading 1.0.1a from the customer area and acting as if you are upgrading XFMG as normal.

    You can confirm that the patch has been applied properly by viewing a media item and looking at the "Share This Media" block. There should be no "copy" buttons next to the text-based sharing options. (Please note that you may have to hard refresh your browser to ensure that cached JS files are not used.)
     

    Attached Files:

Share This Page