Zenphoto is an open source gallery and photo blogging application. Zenphoto was initially released in 2005 and today powers more than 300,000 photo galleries.
Backup and restoration
30 January - 42MBThis security issue affects specifially the third party phpmailer library used by the PHPMailer plugin.
- Zenphoto now exposes only the general Zenphoto version and the script generation time within the html comment at the bottom of front end theme files. Formerly it also exposes some server related data like the graphic lib and which plugins are being used.
- This was of course to help us supporting on the forum as we would get an some base information about the install even if those haven't been provided. But of course it might give more information than necessary to some people who have non helpful ideas in mind… The former full info is now only exposed if your install is within debug mode via the markRelease plugin. [acrylian – Thanks to nheiniger for the reminder]
- Fix rare sql issue with getRandomImagesAlbum() [acrylian – Thanks to coach777]
- On new installs in subfolders setup now sets the .htaccess rewriteBase with trailing slash. Most servers do work without so it is not changed on existing working installs [acrylian – Thanks to kilroy]
- GoogleMap: Option for the now required Google Maps API key added [fretzl]
- GoogleMap: Now responsive by default. Changes can be done in CSS [fretzl]
- hitcounter: "Page-Hitcounter-*" hitcounts are now deleted from the options table if resetted [acrylian]
- PHPMailer: phpmailer 5.2.22 update [fretzl]
- static_html_cache: Cached files now stored with actual .html suffix. If you used the cache you best clear it to remove the old files and generate new ones [acrylian]
- rss: Now stores hitcounts as "rsshitcount" correctly. It used "hitcount" which wasn't for example not checked by the gallery statisics [acrylian]
- tinymce4: Update TinyMCE 4.5.2 and language pack update [acrylian]
- Zenpage: Fix news category protection [acrylian – Thanks to vincent3569]
- Zenpage: Fix news category default rewrite link [acrylian]
Read more: http://zenphoto.org/news/zenphoto-1.4.14
18 August 2016 - 42MBThis is a minor bugfix release.
- Follow-up fixes regarding the new dirty form check on the backend [fretzl]
- Some fixes regarding PHP 7 compatibility [fretzl]
- New parameter $printHomeURL added to printGalleryIndexURL() function to hide the home-link if desired [fretzl - thanks to vincent3569]
- Fix getParentBreadcrumb() where toplevel parent returned wrong page number[acrylian, fretzl]
- Fix issue with gallery page number in Garland theme [fretzl]
- Fix issue with Custom Homepage option in Garland theme [fretzl]
- Fix themeSwitcher plugin to work with new admintoolbox layout [acrylian]
- Better layout of the site_upgrade plugin placeholder page and finaly got rid of the ugly placeholder image whose usage wasn't clear as no license was known [acrylian]
- Fix slideshow plugins to work with the new trailings slash url change [acrylian]
- Some RSS feed fixes [Thanks to cbraymen]
- Fix GoogleMap marker clusters [fretzl – Thanks to cbraymen]
- Fix broken content when HTML in comments is truncated by printLatestComments() [fretzl – Thanks to cbraymen]
- Fix double pathurlencoding in some extensions which caused links to fail. [fretzl – Thanks to cbraymen]
Read more: http://zenphoto.org/news/zenphoto-1.4.13
14 March 2016 - 42MBThis is a bugfix and security update.
- Fixes a RFI and – on older PHP versions – possible LFI security issues on log downloads on the backend [acrylian - Thanks to Tim Coen/Curesec]
- Zenphoto now consequently generates urls with a trailing slash. That is basically any url except for the single image page which normally uses a suffix. The .htaccess file includes new lines to always direct to the trailing slash url to avoid duplicated content because url's without it will still work. If you are not on an Apache server (like Nginx) that does not support htaccess your might need to setup something on your server yourself [acrylian - Thanks to Simounet for the htaccess addition]
- The admin toolbox you get on your site frontend in the top right corner if loggedin has been modified to a fullwidth toolbar now. The reason is that especially on mobile themes/ small viewport sizes the old button may cover and therefore disables the actual site menu in that corner. For this reason the toolbox now pushes the down so no overlapping should occur. Also the list entries have been made bigger so it is more suitable for touch device usage.
- In case it still conflicts with your custom theme you may need to setup it to support the toolbox properly by overriding the styles via your theme's CSS. Or alternatively you can remove the toolbox via the theme_body_close filter. [acrylian]
- Fix Imagick rendering of .bmp and .tiff files [fretzl]
- Fixes full-image access with hotlinking if non standard HTTP ports are used [ludgerh]
- Fixes setup with custom session path handlers like Redis (follow up fix to 1.4.10) [acrylian]
- Fixes a general issue that prevented some plugins like downloadList to work correctly if the static_html_cache was enabled [acrylian]
- Minor bugfix in printPagelistWithNav() [IliyanGochev]
- Album breadcrumbs now returns to the page the album is on for sub albums, too [acrylian]
- We got frequent reports that our form change check script jquery.are-you-sure triggered often unwanted. Although we couldn't reproduce most issues ourselves we decided to switch to jquery.dirtyforms now. It is the other "major" script for this task and also more current and actively developed [acrylian, fretzl]
- Zenpage: printNestedMenu() plus printPageMenu() and printAllNewsCategories() using it internally now have always default ids/classes attached if none are set respectively not set to null [acrylian]:
- Zenpage: main id: menu_pages or menu_categories
- Zenpage: top level active class: menu_topactive
- Zenpage: sub list class: submenu
- Zenpage: sub level active class: menu_active
- Zenpage: Additionally the link element of entries that are protected have the class has_password attached.
- printZenpageItemsBreadcrumb() incorporates the news index url now so you return to the right page number from single article pages. Minor theme change require: You have to remove printNewsIndexURL() from news.php and pages.php. Otherwise you will get a double "news" in the breadcrumb. [acrylian]
- static_html_cache: Album and images pages in search results are now handled correctly [acrylian]
- html_meta_tags: Abandons individual open graph options for a general one as most are required anyway. You might need to reset the option if you wish to use these [acrylian]
- print_album_menu: The list variant now has always default ids/classes attached if none are set respectively not set to null [acrylian]:
- main id: menu_albums
- main id: top level active class: menu_topactive
- main id: sub list class: submenu
- main id: sub level active class: menu_active
- main id: Additionally, the link element of entries that are protected have the class has_password attached.
- uploader_http: Fixes unwanted changes of publish status if uploading images [fretzl, acrylian]
- GoogleMap: cacheManager support for marker overlay thumbs added to workaround conflicts with the static_html_cache plugin [acrylian, fretzl]
- tinymce4: Update to TinyMCE 4.3.3
- elFinder: Update to elFinder 2.1.6
- dynamic_locale: Some fixes for subdomain usage and with seo_locale [reine-k adapted from a fix by sbillard]
Read more: http://zenphoto.org/news/zenphoto-1.4.12
1 December 2015 - 42MBThis is a bugfix and security update.
- Fix some XSS and LFI issues on the backend [acrylian, trisweb – Special thanks to John Page aka hyp3rlinx]
- Fix wrong number of un-published images in Gallery statistics [fretzl, acrylian]
- Fix wrong order display in image/album search date archives if sorting was set to "title" [acrylian]
- Fix dymanic album issue that could result in inability to rename titles etc. [acrylian]
- Fixes issue with image watermarks if Imagick is enabled [fretzl, acrylian]
- basic: Some formatting [fretzl]
- zenpage and zpmobile: Correctly display language flags or language select dropdown [fretzl]
- security_logger: Removes really bad logging of failed logon attempt passwords in cleartext. The exposed passwords might be wrong for this site but might potentially be right elsewhere as users tend to confuse passwords from several services or are lazy with secure ones. Especially in combination with the logged user name this presents potential hackers directly a lot of sensitive data [acrylian – Special thanks to Oliver Dietz]
- sitemap-extended: Option to reference the full image instead of cached sized images if the Google image/video extension is enabled [acrylian]
- html_meta_tags: Add og:image sizes to cacheManager [acrylian]
- class-video: Update getID3 library [fretzl]
Read more: http://zenphoto.org/news/zenphoto-1.4.11
display more versions
21 September 2015 - 42MBThis is a bugfix release.
- Accidentally some PHP 5.4+ only syntax sneaked in that broke Zenphoto with older PHP versions. However, we encourage using newer PHP versions. Zenphoto is generally tested up to PHP 5.6 currently [acrylian – Thanks to vincent3569]
- Fixes MySQL errors with search results or image order set to publish order (actually fixes a former a bit too premature fix) [acrylian, fretzl]
- user groups and user prime album: User prime albums are not removed from the managed album list anymore if not part of the managed albums of the user's group; Creating prime album also does not remove albums from other users' managed album lists [acrylian, fretzl]
- Fixes sorting of multilingual content fields [sphoto]
- Zenphoto does not check or set the server session save path anymore. As reported several times that does not work well with custom path handlers. So we now trust the server setting on that. If you try to use sessions and they don't work, change your server configuration or ask your host. [acrylian]
- Fixes various plugins that caused fatal errors if the cacheManager plugin was not enabled [acrylian, sphoto]
- html_meta_tags: Fixes wrong canonical and alternate language urls if the seo_locale plugin is enabled. Also correctly references page numbers on paginated pages. [acrylian]
- dynamic_locale: Fixes urls related to above and also a broken "en_US" url for the base version [acrylian]
- slideshow2: Now supports plugins folder and theme based custom css [acrylian]
- wordpress importer: Requires MySQLi as the default database handler to work [acrylian]
- Search on all themes is now consistently a global search for everything and not limited to the current item type [acylian, fretzl]
Read more: http://zenphoto.org/news/zenphoto-1.4.10
9 July 2015 - 42MBThis is a security and bugfix release.
- Fixes several SQL Injection, XSS and path traversal security issues [trisweb – Thanks to Tim Coen for the report and help]
- Fixes issue with single image edit page if accessing via front end admin toolbox and "back" button to bulk edit page [trisweb, acrylian – Thanks to MarkRH]
- Fixes the zenphoto package file which caused an unnecessary file warning on running setup [acrylian - Thanks to vincent3569]
- Fixes function getNotViewableImages() that failed to exclude said images, e.g. used if "check tag access" for tag lists if tag_suggest is enabled [amalani]
- Fixes wrong image/album search result order by title [acrylian]
Small change for theme breadcrumbs
- Normally on basic themes the gallery index is the same as the site index ( = home page). But on themes that set a custom gallery index page (e.g. Zenpage, Garland, Efferscene+) those are really different pages so the breadcrumb was actually wrong. Therefore a new template function printGalleryIndexURL() has been introduced that automatically prints a home link if needed (e.g. printing Home > Gallery index) or the real index link where needed. This internally uses an also new function set of get/printSiteHomeURL() that always returns/prints the home page url. This is additional functionality and your custom or customized theme doesn't require any update if you are fine with the old (wrong) behaviour.
- sitemap-extended: Fixes missing trailing slash in rewritten album URL's [acrylian – Thanks to gingo for the note]
- html_meta_tags: Maxspace options for open graph mages to be able to better cover general now bigger (and changing) sizes of various social media services and don't use thumb mode so watermarks set are used [acrylian]
- default: Fixes missing clearing of footer causing the layout being misaligned [fretzl]
Read more: http://www.zenphoto.org/news/zenphoto-1.4.9
18 May 2015 - 42MBThis is a security and bugfix release for some issues that unfortunately sneaked in. As usual this release is recommend for all users.
It is also recommend to users of the zpBase theme because it is directly affected by the print_album_menu bug listed below.
- Fixes security issue related to the image processor. [trisweb – Thanks to JPCERT]
- Fixes automatic image cache rebuild on rather rare occasions [davosmith]
- Fixes bug with album statisticcs in the backend Gallery statistics [acrylian – Thanks to MarkRH]
- Image rotation bugs fixed [fretzl – Thanks to unrealdtc]
- Fixes bug accessing the wrong single image edit via the admin toolbox [acrylian - Thanks to MarkRH]
- Dynamic album creation directly on the backend without prior front end search [acrylian]
- Fixes wrong html in admin toolbox [wongm]
- jPlayer: Fixes CSS issue with our skins [fretzl]
- image_album_statistics: get/printAlbumStatistics() bug fix for returning subalbum properly instead of itself if albumfolder is set [acrylian]
- image_album_statistics: Restores accidentally lost collection functionality for image statistics and also adds it for album statistics [acrylian]
- image_album_statistics: Fixes unwanted listing of unpublished items [acrylian, gjr]
- RSS & externalFeed: Fixes bug related to internal changes of the image_album_statistics plugin [acrylian]
- print_album_menu: Fixes Jump menu [acrylian]
- bxslider_thumb_nav, jCarousel_thumb_nav, paged_thumbs_nav: Fixes broken dynamic album image page links and also search context [acrylian – Thanks to bic]
- register_user (+backend): On registering or manually creating a user it is now checked if the email address is already used by another user (It is not checked for existing users!) [acrylian - Thanks to haroon310]
- downloadlist: Fixes issue with wrong link encoding that caused broken downloads especially on https sites [trisweb]
- zpMobile: Add data attribute via jquery to admin toolbox and downloadlist links so jquery mobile does not take them over [acrylian – Thanks to RB26 for the tip a while ago]
- basic: Support opening full images in colorbox added [acrylian]
- basic: Fixes display issues with styles in both slideshow plugins [acrylian – Thanks to Bob03]
- All themes: Fixes missing username for user_login_out plugin [acrylian – Thanks to Wurzel555]
Read more: http://www.zenphoto.org/news/zenphoto-1.4.8
10 February 2015 - 42MBGeneral
- Bug fixed that could cause loosing all text data entered on subalbums and images if the parent album is moved, copied or renamed [acrylian, fretzl]
- Bug resulting content loss of standard image fields like location, copyright etc. and tag assignments if saving data on the main images bulk edit page [gjr, acrylian]
- Minor security injection iissue regarding cookie handling fixed [acrylian – Thanks to Manuel Garcia Cardenas for the report]
- Minor security SQL injection issue regarding image sorting if logged in fixed [acrylian – Thanks to Navaid Zafar Ansari for the report]
- Improvements for lost changes warnings on the backend [gjr]
- Option (Options > Image) to convert line breaks on meta data importing of IPTC ImageCaptions to line breaks (
) [acrylian - Thanks to MarkRH]
- Image quality setting if using the Imagick libary now works correctly [MarkRH, kagutsuchi]
- Full single image editing including tags on the backend is now done on a separate page. This work around ensures that the number of form elements does not * exceed server POST limits especially on shared hosts and also speeds up the image tab page display [acrylian]
- The admin toolbox – always being actually part of the admin and not the theme anyway – now comes with a predefined style for a consistent look on all themes. Individual styling via theme css is not needed anymore [trisweb]
- Confusing nonsense questions on password resets have been removed [fretzl]
- randomImages functions now longer returns images that are future (scheduled) published or expired [acrylian – Thanks to vincent3569]
- On the front end search form you can now uncheck or check all search fields [acylian]
- getAllTagsAs() – used on the standard archive theme page for example – and getAllTagsCount() now have optional parameters to exclude unassigned tags and tags that are assigned to inaccessible items for the current visitor (tag access check). getAllTagsUnique() has only a parameter for the access check. This is also an option to the tag_suggest plugin now. This optional and off by default as it may cause overhead on larger sites. The use of the static_html_cache plugin is strongely recommended if you need to do this [acrylian]
- Support for adding new tags containing brackets on admin item edit pages [SubJunk]
- zpMobile: Some layout issues and broken gallery page navigation fixed [acrylian, gjr]
- zpMobile: Support for login_out, register_user and slideshow plugins [acrylian]
- zpMobile: JS conflict with jquery mobile on the register password form fixed (actually that form is core but affected only this theme) [acrylian]
- favorites: It is not longer necessary for a user to have "manage all albums" rights to create favorites. Any logged in user now can [acrylian]
- downloadList: Fixes non working download rights password checks and download access bypassing private gallery settings [trisweb, acrylian]
- downloadList: Album zip handling fixed for Windows systems [gjr]
- galleryArticles: Fix multilingual titles of articles created [acrylian]
- html_meta_tags: Some corrections on wrong meta items. [acrylian, fretzl]
- image_album_statistics: Threshold parameter for image/album statistics and "toprated", "mostrated" and "popular" options [gjr]
- image_album_statistics: getImageStatistics() and getAlbumStatistics() work now without getAllAccessibleAlbums() internally and should be faster [Thanks to gjr for pointing out]; getAlbumStatistics() now returns an array of album objects similar to getImageStatistics() instead of an array with album values - Update your code if your do custom stuff; get/printAlbumStatistics() now generally supports stats from dynamic albums [acrylian]
- jPlayer: Update to 2.8.1 and improvements to our own player skins [acrylian, fretzl]
- jPlayer: The official jPlayer circle skin has been removed because it requires special handling to all other skins by loading extra JS files and it is a limited audio only skin anyway [acrylian]
- jPlayer: Now correctly displays playlists with contents from dynamic albums or even search results if they are supported formats [acrylian]
- menu_manager: Does not throw fatal errors anymore if the Zenpage plugin is disabled but Zenpage items exist in the menu set [acrylian]
- mergedRSS: Cache improvements [acrylian]
- print_album_menu: Jump menu version reworked a bit and now with a parameter for album level display and one for just printing the entries without the full part. The helper function printAlbumMenuJumpAlbum() has been removed being obsolete. [acrylian]
- register_user: Wrong verify links in emails fixed [acrylian]
- sitemap-extended: Fixes some url rewrite token and subdomain links for Zenpage pages if in multilingual mode [acrylian]
- tinymce4: Update to TinyMCE 4.1.x
- tinymce4: Option for writing directionality. Also if a language is writing from right to left it switches automatically [acrylian]
- tag_suggest: The plugin has now options to exclude unassigned tags and tags that are assigned to items that are not accessible for the current vistor [acrylian]
- zenpage: New options to optionally disable news or pages tabs on the backend. Themes can also check for this state optionally using the boolean constants ZP_NEWS_ENABLED or ZP_PAGES_ENABLED. See the Zenpage theme's sidebar.php for an example [acrylian]
Read more: http://www.zenphoto.org/news/zenphoto-1.4.7
5 June 2014 - 42MB
- New template functions getHeadTitle() / printHeadTitle() to for usage within/for the HTML page's head 'title' tag [acrylian]
- Improved 404 handling [sbillard]
- imagick options to hint image sizes to better utilize server memory. [yaourt]
- Various HTML validation issues on the backend corrected [acrylian, sbillard, sphoto]
- New options for search pattern matching [sbillard]
- Plugins may now "declare" deprecated functions. [sbillard]
- Bulk options and edit links for images on the images order tab [sbillard, acrylian]
- Backend pages now warn about possible unsaved data in forms if you try to leave a page [sbillard]
- If you are using plugins with content macros that generate html, a conflict with TinyMCE's automatically wrapping everything using paragraphs could occur. Zenphoto now validates such html using the server side PHP Tidy extension if it is present on the server used.
Read more: http://www.zenphoto.org/news/zenphoto-1.4.6
23 January 2014 - 42MBThis is a security and bugfix release. Multiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-18.104.22.168
24 December 2013 - 42MBThis is a bugfix release. Multiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-22.214.171.124
3 November 2013 - 42MBThis release fixes a critical issue in the Zenphoto 126.96.36.199 involving storing characters with diacritical marks.
Read more: http://www.zenphoto.org/news/zenphoto-188.8.131.52
2 November 2013 - 42MBThis is a bugfix release. Multiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-184.108.40.206
4 October 2013 - 42MBThis release fixes a problem on site closure introduced in the 220.127.116.11 support release. You will not be able to close your site unless the root index.php file from this release is first uploaded to your site.
Read more: http://www.zenphoto.org/news/zenphoto-18.104.22.168
3 October 2013 - 42MBZenphoto 22.214.171.124 is a security update. For more detailed info about the fixes please review the GitHub issues list.
Read more: http://www.zenphoto.org/news/zenphoto-126.96.36.199
9 September 2013 - 42MBMultiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-188.8.131.52
5 August 2013 - 42MBMultiple minor errors are corrected.
- This version of Zenphoto incorrectly identifies itself as version "1.4.5". A patch for this issue has been included.
Read more: http://www.zenphoto.org/news/zenphoto-184.108.40.206
2 July 2013 - 42MB
- Zenphoto is now release under the license GPL v2 or later (before: GPL v2 only) to be compatible with GPL v3 which a lot 3rd party tools use nowadays.
- All themes and the backend are now defined as HTML5 doctype to assure compatibility with newer and future 3rd party tools we adapt. Although the new semantic HTML5 elements may not be used yet and we still use the compatible XHTML syntax in many places. Slow work in progress so to speak. [sbillard, acrylian]
- Zenphoto uses jQuery 1.9.1 and jQuery UI 1.9.1 which is as ususal loaded on themes. Since jQuery 1.9 removed some functions older jQuery based tools may break. You find info about those changes and a jQuery migrate plugin to workaround here: http://jquery.com/upgrade-guide/1.9.
- Themes may now have slideshows from their favorites [sbillard]
- Use of Flash has been removed from themes and plugins (except fallback in jPlayer for older browsers naturally).
- The GD library now supports freetype fonts. (sbillard, kagutsuchi)
- The number of comments shown on the admin/comments tab is now an option. [sbillard]
- Simplified mod_rewrite rules [sbillard]
- Redefine URL keywords [sbillard]
- Portable RSS feed links option that allows a users to see their feeds even when not logged-in [sbillard]
- Lots of small fixes [rlerdorf]
Read more: http://www.zenphoto.org/news/zenphoto-1.4.5
1 June 2013 - 42MBZenphoto 220.127.116.11 is a bugfix release. Multiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-18.104.22.168
26 April 2013 - 42MBMultiple minor errors are corrected. A Cross Site Reference Forgery security hole has also been closed. Thanks to Daniel Yang for reporting the issue to us.
Read more: http://www.zenphoto.org/news/zenphoto-22.214.171.124
11 April 2013 - 42MBMultiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-126.96.36.199
3 March 2013 - 42MBMultiple minor errors are corrected.
Read more: http://www.zenphoto.org/news/zenphoto-188.8.131.52
1 February 2013 - 42MBCorrects the check_for_update plugin so that it does not improperly report that there is a newer release and prevents lowercasing the default database handler name.
Read more: http://www.zenphoto.org/news/zenphoto-184.108.40.206b
2 January 2013 - 42MBGeneral
- Pagination added to the plugin & plugin options tabs. In addition, plugins are now organized by class and there is a sub-tab for each class (as well as a subtab for the complete list.) [sbillard]
- Portable URLs: Zenphoto will now store URLs in a WEB path independent form if embedded into content of articles and pages or image/album descriptions using tinyZenpage manually. When the data is retrieved the current WEB path will be used for these URLs. This simplifies moving your WEBsite or replicating the content to a new location. NOTE: this change is in effect only when you "save" the content. Changing URLs that already exist in your database requires that you re-save the object containing them [sbillard]
- Image caching: Zenphoto now limits the number of worker processes that may resize images in parallel [sbillard, d4gurasu]
- Multiple security threats closed.
- New stronger password hashing algorithm pbkdf2.
- Password hashing may be changed without impacting existing password cookies so you can strengthen your security and it will be applied whenever a user changes is password. (See also the user_expiry plugin below.)
Read more: http://www.zenphoto.org/news/Zenphoto-1.4.4
3 December 2012 - 40MB
2 November 2012 - 40MB
2 October 2012 - 40MB
1 September 2012 - 40MB
3 August 2012 - 40MB
2 July 2012 - 40MB
12 May 2012 - 40MB
4 April 2012 - 40MB
2 March 2012 - 40MB
2 February 2012 - 40MB
16 January 2012 - 40MB
14 November 2011 - 50MB
20 October 2011 - 50MB
Our Web hostings are compatible with
100% SSD Web Hosting
100 GB and +
Free SSL certificates
10 GB of VOD
2 CPU and +
6 Gb (RAM) and +
100% dedicated resources
Infomaniak manages your server
from 29 € / month
Prices in EUR incl. tax