FYI, milw0rm is reporting a Remote Privilege Escalation Exploit in PP <= 1.5

http://www.milw0rm.com/exploits/1868

Thx for link.

For now without testing but seeing security whole fast fix looks like:
1) find:
} // end imageprint

// fix a popuplink

$tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl);

if(isset($_GET['x']) &&$_GET['x'] == "browse")
{
$thumb_output = "";
$where = "";

if($_GET['category'] != "")

2) replace it with:
} // end imageprint

// fix a popuplink

$tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl);

if(isset($_GET['x']) &&$_GET['x'] == "browse")
{
$thumb_output = "";
$where = "";

if(is_numeric($_GET['category']) && $_GET['category'] != "")

Now Im going out so rest must wait for a while.

In fact, there seem to be three exploits there.

Sigh! finally someone else got to it and published...

Fixes are easy - but it is Sunday morning here ;)

As for Register Globals = On exploit anyone who runs a server with that setting is doomed anyways

In case of register_globals = On all depends from variables_order which by default is secure:
variables_order = "EGPCS"

Next fix for register globals.

Affected files:
/admin/categories.php
/admin/comments.php
/admin/images_edit.php
/admin/new_image.php
/admin/options.php
/admin/view_addons.php
/admin/view_info.php

Find at beginning of each:
if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"]) {
die ("Try another day!!");
}

and repleace with:
if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"] || $_GET["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"]) {
die ("Try another day!!");
}

PS In a minute there will be CVS fix.

Next fast fix for point 2. There will be probably better one in future.

Find in /index.php (line 681/712):
ELSE IF ($_GET['archivedate'] != "")

and replace it with:
ELSE IF ($_GET['archivedate'] != "" && strlen($_GET['archivedate']) < 20)

is point 4 fixed on that? it scares me! but i don't fully understand how it works.

have a look at www.photografitti.de

I cannot log in anymore, my hoster says he did nothing..

something "wait for redirect..:"

is this caused by some of these exploits?

I forgot about this one.

At beginning of /admin/index.php find:
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*/

and replace with:
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*/

// variable clean up
if(isset($_GET["loginmessage"])) $loginmessage = "";

@GeoS You will have to add a check for $_POST in register_globals off fix and the $archievedate should be tested against a regex

@Connie - probably yes

my problem is solved

I tested one option which is offered by Confixx, a socalled @-domain, whatever that is, and this broke everything at my new webspace

a good start at a new hoster...

but nothing with exploit etc., I am glad

OK fixed also against POST method. There is only issue with better solution for $_GET['archivedate'].

On my server it is on but still there was no problem with this exploit. All depends from configuration.

Now Im wondering about switching it off but I dont know what about this think rest of server users.

Here is a fixed paged_archive.php file which is also affected by the exploit

http://se.nsuo.us/contrib/paged_archive.phps

Has a regex fix for date issue (hope it works ;) )

I read through this thread and the question comes to mind, and maybe others have the same question: What, if anything does this mean to the folks that shoot photos and post them using PP? Do I need to go out and edit a file on my server, or upload something new? Or maybe I need to do nothing?

I know this is a "Bug Report" thread, however, I read Exploit in the title of the thread and I get concerned.

In some time there will be next version of Pixelpost with complete fix of all this issues. Right now you can find it on CVS:
http://pixelpost.cvs.sourceforge.net/pixelpost/pixelpost_dev/