viruskiller

Important security update!

Lazyest Gallery 1.0.29 or lower contains two potentially unsafe vulnerabilities.
The image popup script in lazyest-popup.php could allow cross site scripting. This vulnerability is found by High-Tech Bridge SA and they qualified it as a medium risk vulnerability.
The image processor for on-the-fly image creation could allow people to find the absolute path in which the plugin is installed. This vulnerability has been found by High-Tech Brdge SA and they qualified it as a low risk vulnerability.
Please download version 1.0.30 to fix these vulnerabilities. Download

5 thoughts on “Important security update!

  1. Fred

    Hi,

    maybe you wanna inform the HighTech-guys that you provide a fix for the vulnerability, so they can update the information on their page.

    “Solution:
    Currently we are not aware of any vendor-supplied patches or other solutions. If you are aware of more recent information related to this issue please notify us: advisory@htbridge.ch

    Thanks for the fix btw ;)

    Cheers,
    Fred

    1. Marcel

      Hi Fred,
      I have send e-mails to this address more than once. They never ever reply.
      They state that they had notified the vendor on February 24th, but I heve never seen anything from them. They didn’t react on any request for information about the vulnerability. I wouldn’t call their approach ‘Ethical Hacking’.

  2. ck

    One issue that I have tested out on multiple standard themes – is that if pagination is used in a post – a certain interruption to the display of the wordpress theme seems to happen in certain circumstances.

    Basically, the display of the sidebar backgrounds (and/or the sidebars themselves) seem to get interupted – when:
    a) pages above 1 are being viewed – i.e. pages 2,3,4,etc
    AND
    b) the pagination is being activated when the post is in a blog style listing – i.e. is one of a series of posts listed – and not being viewed as a single post page on its own. When the post is being viewed by itself (i.e. at its own unique post url), the issue doesn’t happen – only in the multipost, blog listing format of say: Your latest posts.

    For the sake of example, two standard WP themes this happens with are: Martin 1.0 by Themestown & Easel 2.0.6 by Philip M. Hofer (Frumph) – both accessible & installable via the WP control panel.

    btw: am posting in this thread as only one listing beta 4.

  3. ck

    Hi Marcel, with beta 4 or the latest dev version, when clicking the slideshow button in a post – I just get the words ‘Loading…’ on screen – and no slideshow loads. Was working on server on previous versions. I see in the dev log – a recent entry states: remove inline styles for frontend post and page slideshows. Is this related to the issue – and if so – will it be a permanent removal.

    I’m not getting the slideshow button working when in the actual galleries either.

    1. ck

      quick extra to above – it could be to do with permissions again on the slides folder – though looks ok – and slide images are being placed into the folder.

Comments are closed.