piwigo / admintools Goto Github PK

When using Quick edit on a photo and save the picture it cut-off seconds from the time of the picture.
Hidden inptut "date_creation_time" contains value only with hours and minutes.
Please add seconds to the value too.

getting the following error:

Deprecated: Function create_function() is deprecated in /public_html/plugins/AdminTools/include/MultiView.class.php on line 41

I'm using php 7.2

So that we can have the list of tags just by clicking in the input field (with TokenInput we have nothing unless we enter one character, for the autocompletion)

With this option unchecked, visits for admin are still being recorded.

version 2.9.4.1 of the AdminTools installed on up to date version of piwigo

when i enable it and look at the public side of the site with a brave browser i can not see any photo and i see the following error in the developer tools:

10u0tky.js:341 Uncaught SyntaxError: Unexpected token <
(index):326 Uncaught ReferenceError: $ is not defined
at (index):326

and that line 326 starts at $('#categoriesDropdownMenu').on('sh..... :

<script type="text/javascript">//<![CDATA[

$('#categoriesDropdownMenu').on('show.bs.dropdown', function() {$(this).find('a.dropdown-item').each(function() {var level = $(this).data('level');var padding = parseInt($(this).css('padding-left'));if (level > 0) {$(this).css('padding-left', (padding + 10 * level) + 'px')}});});
var error_icon = "themes/default/icon/errors_small.png", max_requests = 3;
AdminTools.urlWS = 'ws.php?format=json&method=';
AdminTools.urlSelf = 'index.php?/categories&';

as soon as i disable the AdminTools it goes away.

if i look at the same pages in Chrome it has no problem..

just thought i'd report it, in case you would want to know.

thanks,
tom

Dear Sirs,
We were being using this plugin on all the versions of piwigo, till the 13.8 without issues, all with php 7.4
Upgrading to php 8.0, 8.1 or 8.2 breaks the part of editing the photos for non admin.

The php error is :

Undefined array key "DELETE_CACHE" in www/piwigo/_data/templates_c/jlpo1n^xxxxxxxxxxxxxxxxxxxxxxxxxx_0.file.public_controller.tpl.php on line 73

and the the line 73 of this compiled template is :

if ($_smarty_tpl->tpl_vars['ato']->value['DELETE_CACHE']) {?>
AdminTools.deleteCache();

For the time being, as a fast workaround, we deleted this line, and everything is back to work.

Thank you and best regards

if AdminTools is active and the user language is changed on [Administration > Users > Manage], it is not taken into account.

The following lines of code when added to the theme.css file within the theme at the end solve the problem and make it look to my eye in line with the rest of the theme.

#cboxOverlay {
background: #000;
opacity: 0.9;
filter: alpha(opacity = 90);
position: fixed;
width: 100%;
height: 100%;
}

#cboxContent a.icon-ato-cancel.close-edit:hover {
color: #fff;
}

#cboxContent a.icon-ato-cancel.close-edit {
color: #ccc;
font-size: 0.8em;
font-family: Arial,Helvetica,sans-serif;
}

#cboxContent .ui-submit .ui-btn-hidden {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
-webkit-appearance: none;
cursor: pointer;
background: #fff;
background: rgba(255,255,255,0);
filter: Alpha(Opacity=0);
opacity: .1;
font-size: 1px;
border: none;
text-indent: -9999px;
}

CSRF = Cross-site request forgery

... simply with a classic pwg_token

Reported by plg on 25 May 2015 15:47

Version: 2.7.4

When a photo is added by a non admin, it can be edited. It would be useful to have an option to forbid tag creation.

Piwigo Bugtracker #3224

hello
when i active this plugin

PHP Fatal error: Uncaught Error: Non-static method Smarty_Internal_Debug::display_debug() cannot be called statically in include\template.class.php:583
Stack trace:
\include\page_tail.php(94): Template->p()
\admin.php(365): include('C:\...')
#2 {main}
thrown in .\include\template.class.php on line 583

Based on the content of table activity we can find which user did create an album. We can use that to let the creator of an album edit it.

I installed Piwigo on Ubuntu Server 18.04, with Apache and PHP7.2. It said there is an update for admin tools but failed to install. A pop up said "Error" but no further description.

Deprecated: Function create_function() is deprecated in /var/www/html/plugins/AdminTools/include/MultiView.class.php on line 41

This message show at the top of the page when I activated admin tools. Is there any ways to update it manually? Or wait for your solution? Thanks.

ie "not identified" visitors.

Plugin Community make it possible to have piwigo_images.added_by = 2 (ie $conf['guest_id']) but it should never be possible to edit/delete the photo as guest.

Hi,

Piwigo Version: 12
Plug-in version: 12.1.0
Other plug-ins minimal and can reproduce alone

I get a Warning: Undefined array key "IS_IN_CADDIE" in /path_to/piwigo/_data/templates_c/rr6dxn^2def383788891f46e221c241d1c94e0cf7ed28c3_0.file.public_controller.tpl.php on line 174 as HTLM in the toolbar

I reinstalled the plug-in to no use, purged templates several times, template_c folder permissions seems normal (www-data owns the stuff and can RW)

Cheers.

I mean on admin in the top right corner

After changing the theme of my gallery, the Admin Tools quick menu doesn't reflect the current state. New theme is missing, and old ones are still present. Purging did not fix.

HTML description was designed to be allowed for administrators, not contributors

in the AdminTools language switcher

Summary

A reflected cross-site scripting (XSS) vulnerability has been discovered in the "ato_lang" parameter. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by webmaster or administrators when they visit the URL with the payload.

Since The lang parameter exists on every page, which results in a malicious lang value (session-level persistence XSS) attached to any page that administrator visits before the session ends.

Details

The vulnerability is caused by the insecure injection of the "ato_lang" value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted "ato_lang" value. When a victim who is logged in as an webmaster or administrator visits this URL, the malicious code will be injected into the HTML page and executed.
Attackers can construct malicious lang values in PHP files that accept ato_lang in lang parameters at any time. Basically, all pages presented to administrator will have (ato_)lang values. This means that the payload that occurs is not fixed.

Vulnerability recurrence requirements

The webmaster opens the Admin Tools plug-in
The webmaster or administrators opens the link for the malicious ato_lang value

Proof of Concept (POC)

Open the "Admin Tools" plugin

Access a PHP file that can accept the value of the lang parameter.
http://192.168.160.147/index.php?ato_lang=zh_TW%3C/script%3E%3Cscript%3Ealert(9017)%3C/script%3E&mobile=false&

Access other web pages, such as the profile.php.

Giving a malicious value of $ato.MULTIVIEW.lang can lead to reflective XSS vulnerabilities.
The lang parameter exists on every page, which results in a malicious lang value (session-level persistence XSS) attached to any page that a webmaster or administrator visits before the session ends.

Because the security team did not respond within 72 hours, I made the report public.

I noticed that when enabling AdminTools, the "Who can see this photo?" information is no longer visible to admin users.
I figured it might be this line: https://github.com/Piwigo/AdminTools/blob/master/include/events.inc.php#L63

But why hide it? I can't find it anywhere else unless I open the quick edit dialog (but it's two clicks away).

Thanks for this wonderful piece of software!