YaPiG Home Page - Yet Another PHP Image Gallery

It has been long since the last Stable release. This new yapig is more or less the 0.94u but with some bugfixes and updates. All users of yapig are encouraged to update their versions. Some vulnerabilities have been published on security pages and might be used by malicious people. The main changes of this release are:


New Features
* Updated Exifier to version 1.5. Thanks to Sebastien.
* Added Polish translation (0.92b). Thanks to Kwachu (kwasimir).
* Updated Catal translation (0.92b). Thanks to Cai Roig Roca (cairoige @@@ tinet.org)
* Updated Italian translation (0.92b). Thanks to Lucio Benfante (benfy).
* Updated German translation. Thanks to Sven Schfer <pointer @@@ linux-blog.de>
* Updated French translation. Thanks to Sebastien <sebastieng @@@ pointbat.be>

Fixed Bugs
* Warning for set_timeout(#1230503).
* German locale file permisions problem. (#1230494)
* Page counter and page argument errors (#1182544)
* Vulnerability: Cross site scripting on add comment form (#1230491)
* Vulnerability: Save plain text login information in cookies (#1230491)
* Vulnerability: Arbitrary directory removal on upload.php (#1230491)
* Vulnerability: Extension checks on upload.php (#1230491)
* Vulnerability: Arbitrary file Inclusion global.php and last_gallery.php (#1230491)
* Vulnerability: Cross-site Scripting (#1230491)
* Vulnerability: Information disclosure in phid argument of view.php and slideshow.php (#1230491)
* Rotate Image thanks to Sebastian Muszynski <basti @@@ linkt.de>
* Link error in slideshow (#1173021)

You can download the file from:
http://prdownloads.sourceforge.net/yapig/yapig-0.95b.tar.gz?download

http://yapig.sourceforge.net
Regards. Natasab.

Well, in the world there are many people that has quite a lot free time (even they have time to take a look to yapig's source code!) and help us to live in a more safe computer software world. So some vulnerabilities have been discovered in yapig's code. You can take a look on them on:

http://www.osvdb.org/searchdb.php?vuln_title=&vuln_title_search_type=and&disclosure_date1=&disclosure_date2=&ext_ref_value=&ext_ref_search_type=and&ext_ref_type=0&text=&ext_txt_search_type=and&vendor=NaTaSaB&vendor_search_type=exact&base=&base_search_type=and&version=&version_search_type=and&search=search

Right now, there is no available patch. Lately, I'm quite busy so I hardly can take a look on these issues in a brief time. If you have time and enought knowledge, yapig users and me would appreciate a post on the patch section with the solution ;-). You can upload it on this URL:

http://sourceforge.net/tracker/?group_id=93674&atid=605078

Thank you. Juan (Natasab)

For some days the packaged version 0.94 was in reality 0.93 instead. If you donwloaded 0.94 recently and appears 0.93 as the script version you must download the script again.

http://prdownloads.sourceforge.net/yapig/yapig-0.94u.tar.gz?download

New Features:
* Updated Spanish Translation.
* Display some Exif information if available on the pic. Using exifier 1.4
* Slideshow. Thanks to Keith Nicholson (www.keithnicholson.net)
* Display current page and number of the image.
Fixed Bugs:
* SAFE MODE installation better explained.(#1070572)
* Security fix: now password protected galleries cannot change their
gallery thumbnail(#1056001)
* Resolved escaped \' and \" on captions (#959969)
* Problems deleting files created with Yapig due to default server umask
(#1065867)
* FINALLY FIXED JS Zoom stuff. Thanks to Christian Taepper fix! (#1025155)
* Stats dissapear due to concurrent access to text database files.

http://yapig.sourceforge.net
http://sourceforge.net/projects/yapig/

There is a bug that makes files created by yapig impossible to delete via ftp or ssh. This is because of the default user mask of the user running PHP. It is already solved on the CVS version, but for users that have 0.93u (latest) or previous, there is a patch on:

https://sourceforge.net/tracker/index.php?func=detail&aid=1107399&group_id=93674&atid=605078

It's has been ages since I could update the CVS. Since 0.93 it is running again, I will try to keep it up to date. The module that will be with the last version will be yapig (all lowercase). There are other modules on the CVS, but forget them.

We have available two new translations thanks to Bernt Egil Berntzen (zenmed) and Andrej Zatko. You can get them from the patch pages:
Norwegian:
http://sourceforge.net/tracker/index.php?func=detail&aid=1016184&group_id=93674&atid=605078
Slovak (lang-id = sk)
http://sourceforge.net/tracker/index.php?func=detail&aid=1019528&group_id=93674&atid=605078

Remember you must update your yapig to version 0.92.2 (due to security bugs)

During August Acidbits found a PHP insertion vulnerability, he sent me an email, post a bug (http://sourceforge.net/tracker/index.php?func=detail&aid=1007246&group_id=93674&atid=605076) and added a report on security pages such as SecurityFocus (http://securityfocus.com/bid/10891). I have been on holidays so I couldn't release a patched version before.

This is a heavy security bug, so users with versions previous to 0.92.2 must update their Yapig. There is an Exploit available so even script kiddies can play.

You can download the latest release from: http://prdownloads.sourceforge.net/yapig/yapig-092.2b.tar.gz?download

If you already have the 0.92b, you can download the new version and just replace functions.php and add_comment.php files with the new ones.

Thank you Acidbits.

PS: Soon there will be a new release with many fixes and some new features.

Thanks to Tadashi Jokagi (elf2000) it is available the japanese translation of yapig.

You can donwload it from:
http://sourceforge.net/tracker/index.php?func=detail&aid=1002466&group_id=93674&atid=605078

lang-id: jp