Piwigo.org

Earth Island Matthew · 2015-04-09 23:11:25

Hello,
I'm helping a colleague who found the install message instead of her fully populated gallery. I traced the problem to what appeared to be a ham-handed attack, changing the /local/config/ directory's permissions to 200 and inserting some strange obfuscated javascript and php.

I changed the permissions and deleted the anomalous files, and the gallery reappeared. 1st hurdle cleared! Afterward, however, I wanted to update the version, in case there's still vulnerabilities there... and none of the login credentials are accepted as valid. We tried the reset-password for the account, which proceeded just fine; but the new password is likewise rejected.

Could the use of 755 for the /local permissions be problematic? Is there something else I am missing? Thanks for any help or insights you can offer,
Matthew

Piwigo version: 2.5.2
PHP version: 5
MySQL version: 5
Piwigo URL: http://sponsor.eii.org/photo

flop25 · 2015-04-10 10:08:28

Hello
what is problematic is that you're running a vulnerable version of Piwigo [Forum, topic 25016] Piwigo 2.7.3, 2.6.5 and 2.5.6, security bug fixed very old ! Be sure you update any of your softwares (server, your computer, your smartphone ...)

Earth Island Matthew · 2015-04-14 21:17:16

Hi,
Thanks for your response. I hadn't been the maintainer of this gallery, and I agree that updating is important -- but I'm currently unable to log in and so I can't update it now. Any suggestions? Thanks again,
Matthew

Piwigo.org

Announcement

#1 2015-04-09 23:11:25

locked out by a hack, then the authentication

#2 2015-04-10 10:08:28

Re: locked out by a hack, then the authentication

#3 2015-04-14 21:17:16

Re: locked out by a hack, then the authentication

Board footer