[Plugin: NextGEN Gallery] Security Issues Suggestions

  • Hi,

    I love this plugin, however I want to make some suggestions regarding security issues and features.

    1. Remove <meta name=’NextGEN’ content=’1.6.2′ /> completely or hackers will know the version
    2. Add warnings that folders are still writable.
    3. Allow us to disable and or remove upload scripts like

      upload.php
      media-upload.php
      addgallery.php

    I commented out //require_once (dirname (__FILE__) . ‘/admin/media-upload.php’); in nggallery.php to disable the scripts.

    4. Find solution to avoid 777 to add galleries. I know that creating subfolders requires write permission, but I am sure it is possible to avoid it or make it more secure.

    I am pretty sure that someone can abuse the scripts and gain access quickly when folders are still 777, as this happened to me before and a lot of gallery were deleted.

    5. Please improve the search function and allow us to search for galleries instead of images. I have 50 pages of galleries, how am I supposed to find any album and add new images to it?

    6. Please improve the album.php and add checkboxes to add galleries to an album. The current album manager is practically not usable with over 20 galleries.

    I hope you find this helpful to improve the security and usability of the plugin. NGGallery is currently the best plugin to add images to a WordPress blog, but there are many security issues and usability issues that need to be addressed.

    Thank you for developing such a great plugin, loving it!
    Best,
    Oliver

Viewing 3 replies - 1 through 3 (of 3 total)

  • 1. It’s usefull for support, it doesn’t help to avoid hacking
    2. Why ?
    3. Why ? Do you disable also the WP Core upload scripts ?
    4. You don’t need a gobal write permission, use here the same function like WP Core
    5. Serach will be improved in the next release and ongoing
    6. Yes a reworked album page is needed, I have this on my ToDo List

    1. It’s a security risk and many want to remove it (do a search on this forum). They can look into the readme file for version numbers.
    2. Some people may not know that this is a security risk and need to be remembered. Other plugin authors also do this as a precaution.
    3. Yes I disabled the upload scripts because I don’t need them and they can be exploited. Others might also want to disable it for security reasons.
    4. Well, this depends on your server configuration. A lot of servers that run apache as nobody (WHM default configuration) require 777 on the gallery folder. A solution is mod_suphp, but if you know a way around this, it surely would improve the security of the plugin.
    5.+6. Sounds good!

    Well, i’m not security expert and I also didn’t know all ways of hacking, but AFAIK I’m using the same upload mechanism / folder check like WordPress Core. And I didn’t know about a current exploit. If you know some ways, please be so kind and send me a email, I will fix them !

    To secure your installation by disable all upload features is another way, and you probably know what code you need to change.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: NextGEN Gallery] Security Issues Suggestions’ is closed to new replies.