August 14, 2007
CRITICAL SECURITY UPDATE
DO NOT IGNORE

IMPORTANT: You MUST be running version 1.9.0 OR LATER.
If you are not running EZPhotoSales version 1.9.0 or later, please see the patch instructions below,
or email info@ezphotosales.com so we can complete the update for you.
We will need your FTP address, login, and password,
so please include that information in your email to expedite the process.

If you think your system has been compromised, email us (include correct FTP access info, please).
We will check out your system, repair if needed, and install the security update for you as soon as we can.

 v1.9.4:
Included in this update:
 Important security fixes.

  • Configuration ID & Password data have been moved to a location inaccessible to browsers The data is still encrypted, as it always has been
  • Gallery name and password files have been moved to a location inaccessible to browsers This protects gallery passwords and ensures client privacy
  • System configuration file has been moved to a location inaccessible to browsers Photographer personal information is better protected to ensure privacy.
  • Offending code and characters are not able to be entered into the configuration area. This prevents malicious code from being uploaded via the configuration page.
  • ONLY jpgs may be uploaded for the header, logo, and gallery images. This will prevent malicious files from being uploaded via the configuration page.

    • INSTRUCTIONS:
    BEFORE YOU START, download THIS ZIP FILE, and unzip it on your hard drive so you have the "configuration" and "libs" folders (included in that zip file) ready to go.

    BEST OPTION for visual people:
    Click the image below to open the video instructions in a new window.



    Not a video lover? Print and follow these step-by-step instructions:
  • Be sure you've downloaded THIS ZIP FILE and unzipped it on your hard drive.
  • Log into your webspace via FTP
  • Locate the folder that holds your EZPhotoSales installation.
    The folder will be inside your web space folder system. Most are named "OnlineViewing", but you may have chosen a different name.
  • Right-click on the "OnlineViewing" folder and open up the read/write/execute permissions.
    Different FTP programs use different names for this, but it's probably under an option such as "file/folder attributes", "permissions", or "file/folder info"
  • TURN ON ALL PERMISSIONS FOR THE FOLDER. ALL OF THEM, read write, and execute! (777 permissions setting)
  • Double click on that folder to look inside.
  • Drag all of the PHP files (not the folders) from your hard drive (the ones you just downloaded and unzipped) into that folder on your webspace in your FTP program. (This replaces old system files with the new ones you just downloaded.)
  • Click "YES" on any warnings you see about overwriting a file that already exists on your webspace.
  • Double click on the "configuration" folder inside your FTP program.
  • Open the "configuration" folder on your hard drive that you unzipped.
  • Drag all of the files inside your "configuration" folder ON YOUR HARD DRIVE INTO the configuration folder on your web space. (This replaces the old configuration files with the new ones you downloaded.)
  • Click "YES" on any warnings you see about overwriting a file that already exists on your webspace.
  • Go back up one folder level in your FTP program, and double click on the "libs" file to look inside.
  • Drag all of the files inside your "libs" folder ON YOUR HARD DRIVE INTO the configuration folder on your web space. (This replaces the old configuration files with the new ones you downloaded.)
  • Click "YES" on any warnings you see about overwriting a file that already exists on your webspace.
  • DO NOT QUIT YOUR FTP PROGRAM!
  • Open up a web browser (Firefox, Safari, etc) and go to your configuration page.

    • NOTE: Some photographers are using ioncube loaders or license files that will be incompatible with this security patch. There's no way to tell if your system's loaders and license are out of date until this point in the process. If, at this point, your browser shows you a "loader" error or a "license" error, DON'T WORRY! Email us with your system's URL and your FTP access info, and we can install the updated loader and/or license for you as soon as possible.
  • Your login ID & password area will be CENTERED instead of over on the left.
  • Enter admin for both the user ID & password.
  • Proceed to the configuration area (you will be taken there automatically anyway)
  • Go back to your FTP program (do not quit your web browser), and open the permissions for your "OnlineViewing" folder.
  • Turn OFF WRITE permissions for "Group" and "Public" (755 permissions setting)
  • Go into your "configuration" folder on your webspace and DELETE the files, "config.dat" and "galleryconfig.txt" These files have been copied into a location that can't be accessed, and the ones you are deleting will no longer be used.
  • Go into the "data" folder on your webspace and DELETE the file called "galleries.txt". This file has been copied into a location that can't be accessed, and this one you are deleting will no longer be used.
  • Quit your FTP program
  • Return to your web browser, and CHANGE YOUR CONFIGURATION USER ID & PASSWORD to whatever you want.
  • Your system is now patched and secure.


    • Note: If you are using your own custom header.php file, that will no longer function. There are too many security risks involved, and we had to disallow custom header.php files.
    IF YOU ARE NOT RUNNING v1.9.3, follow these insructions:
     Windows users - Download the patch installer
  • CLICK HERE and download the installer to your hard drive.
  • click "SAVE" and save the installer to your computer. Most people choose to save it to the desktop.
  • When it's on your desktop, double click the installer
  • click RUN
  • This will look just like the installer you already ran before.
  • On the page that asks you for your FTP access information, click the "CHANGE" button if your EZPhotoSales system is not in a folder called "OnlineViewing"






  • Continue through the installer as you did when you first installed EZPhotoSales.

  • If you run into any problems, you can quit the installer and then run it again.
    The installer will detect your incomplete install and you can pick up where you left off.


    • If you would like the EZPhotoSales team to install the patch for you, please email your FTP access info to: info@ezphotosales.com

    IMPORTANT INFO:
     If you have been using FTP to upload galleries and make modifications to your EZPhotoSales system, you will most likely run into permissions errors when making modifications inside version 1.9.
    The most common will be that the system does not have "write permissions" for the "galleries" folder.
    Login to FTP and turn ON write permissions for the folder "galleries".
    You will probably encounter more unavoidable permissions errors until you migrate completely away from your pre-existing FTP-based galleries to the new system, but the popup warnings will direct you to the exact files and folders that require permissions modifications.




    Version history:

    October 13, 2006

    v1.9:
    -EZPhotoSales can now be completely FTP-FREE!
    You can still use your favorite FTP tool to upload galleries, pricing files, etc, but YOU DON'T HAVE TO if you don't want to!
    -There is a new "Gallery Editing" area where you can create a new gallery, change a gallery's name, change a gallery's password, and change a gallery's pricing set. All of this is done much more easily than it was done in the past. You can also add and delete images from a gallery easily, and you can view an overview of your gallery images.
    See an overview of the "Gallery Editing" section HERE.
    -A "View Slideshow" icon option has been added as well. If you have created a slideshow for a client (using your own software like ShowIt or ProShow), you can enter the URL of the slideshow in the "Gallery Editing" page for that gallery, and the "View Slideshow" icon will appear in their gallery. When clicked, that button will open a new window with the client's slideshow that you have created.
    -EZPhotoSales can add BLACK & WHITE previews for your images now!
    Use the Black & White tools to have EZPhotoSales create stunning black & white previews for your galleries. The Black & White previews are much better than a standard "convert to grayscale" version of your images. You will need to process Black & White images inside the configuration area, which will take time for larger galleries, but that means your clients' Black & White previews will load VERY quickly, and they are a beautiful, rich Black & White (not muddy Black & White like many online conversions).
    -There is a new "Pricing Editing" area where you can edit and create all of your pricing without using text files & FTP as in the past. Pricing menu information has been moved to a new folder called "pricing-menus". If you have any existing pricing sets, they will be moved for you when you login to your configuration page.
    -In the new "Edit Pricing" area, you can create new pricing sets and pull-downs and modify existing pricing information.
    -For galleries created with the new "create a new gallery" tool, an "index.html" will be placed in all of the gallery's folders so that savvy web browsers will not be able to browse to your galleries' directory structures.
    -Header and logo images can now be uploaded directly from the configuration page.
    -Info popup html files can now be uploaded and deleted directly from the configuration page.
    -You can now add a border around your gallery images. This is especially helpful for "high key" images inside a gallery with a white page background.
    -A "visits" counter has been added for every gallery. The counter will count each time a new IP address looks at a gallery so you can see how many different people (computers) have viewed a gallery.
    -Default pricing and alt pricing files and folders will all be together in "pricing-menus". Your current alt pricing sets will be automatically moved for you when you login to your configuration page after installing the version 1.9 update.
    Please visit the v1.9 Video Tutorial Library if you would like to see how to use the new features of v1.9.

    If the videos aren't loading well for you, then you can download the 1.9 video library HERE. Save the zip file to your hard drive, unzip it, then double click on the index file inside.



    v1.8.2 included:
    -The "Continue Shopping" button inside the PayPal shopping cart will take customers back to the gallery they were viewing when they added an item to their shopping cart.
    -Inside the shopping cart, an image's gallery name will be displayed in the "Options" section so the photographer will see from which gallery an order came. This is optional and can be turned off in the configuration page.
    -Upon logging into the configuration page, photographers will be notified if an EZPhotoSales update is available.
    -When pricing menus are down the side, the main gallery image is now at the top of the gallery area instead of vertically centered with the pricing menus.

    v1.8.1 included:
    -Filenames with spaces will be displayed correctly when browsing images with the navigation arrows.

    v1.8.0 included:
    -Navigation arrows are now included so viewers can easily browse through images. These arrows can be turned ON and OFF in the configuration page.
    -The thumbnail border is now configurable. You can set the border thickness, initial border color, the rollover (hover) color, and the visited color. These settings will function correctly in the Safari browser, as well as IE and Firefox.
    -The "view cart" button has been moved to a spot directly underneath the header alongside the navigation arrows and the sub-gallery menu (for galleries that are split into sub-galleries).
    -For Internet Explorer users: Implemented a fix that removes the gray flash object border around Flash movies (a new "feature" of IE that nobody appreciates) for photographers with Flash intros.

    v1.7.4 included:
     -the "+123" system of disabling menus will function inside the Safari browser
    -alt menu sets can now be used even with passwords turned off
    you will still need to set a password for EZPhotoSales to recognize the alt menu set for a gallery,
    but you can set the passwords to OFF and still have a gallery display an alt menu set.
    -improved configuration page with more descriptive info popups

    v1.7.3 included:
     -configurable "Enter Gallery" text
    -version number is displayed on configuration entry page

    v1.7.2 included:
     -security fixes to protect galleries' passwords

    v1.7.1 included:
     -security fix to protect gallery access -- bug fix for a side-effect of the sub-galleries

    v1.7.0 included:
     -new "Sub-galleries" so large galleries can be split into smaller sub-galleries