Here are some notes on how to enhance the security of your album:
- Change all function codes right away.
- Do not leave debug mode on - sensitive information can be leaked this way.
- Ensure your config is not viewable through the web (make it mode 644 if in cgi-bin or move it out).
- If you don't want/need to use the web Configuration Management interface, don't make your album.cfg writable.
- Upgrade to the latest version (in this case, 6.0). Every release has bug fixes, and sometimes they have security implications. There was one bug that would allow a normal user to wedge in and get admin access if they knew what they were doing, but those have been fixed for some time. (And the exact exploit was never publicized - I found it myself.)
- Keep web logs so you can see what's going on. If you can, glance through them once in a while to see if anything odd stands out.
- Change your passwords (if you have accounts) fairly often.
- Don't post URLs that have usernames/passwords in them, if you're using authentication_type=1. Try to ensure you users know not to do this as well.
Don't think it can't happen to you, at least one album has already been hacked!
