Security problems - Path traversal attack and XSS attack

Is this something we are to

Is this something we are to edit ourselves???

Security issues like this worry me. I love the album software, but don't want to risk everything on my server for it.

I wonder why the author of PHPAlbum has not responded to the original post.

You don't need an answer

You don't need an answer from the author: in my post you find the problem and the solution, so apply my "patch".

Hi Sparviero, I do not think

Hi Sparviero,

I do not think the point 1) is critical, as it only works if you have an FTP password for that site, and if you have this, you can do the same with any FTP-Client, so there is no need for any other checks.

The point 2) is indeed critical and will be fixed now, hope I can release new bugfix today.

@shcick: I know it is bad, but I did not have the time for this project last few months, and I am sorry for that.


About 1st point, most

Right but i prefer to add a security level embedded into php code: few months ago, i've found a ISP that give me an ftp account usable only in localhost for my php code.
In that case, unfortunately the account was not chrooted.
For same reasons, i prefer add the path check and the extension check so people can't upload some "strange" files like .sh, .php, etc.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.