Security issue in Image Uploader

Recently we got a report that Image Uploader suffers from buffer overrun vulnerability.

Recently we got a report that Image Uploader suffers from buffer overrun vulnerability. A BID was submitted by Elazar Broad to, and he emailed us to inform about it. I am taking an  opportunity to thank Elazar for all his help with it. Here is this BID:

It happened on weekends, so we had to go to the office on Sunday. Fortunately the problem was not difficult to locate and fix. So we have released version 4.5.70 which does not have this proble, and now we are informing all our customers to update Image Uploader on their websites.

You may wonder why this issue is so important. The problem is that buffer overrun vulnerability means that malicious persons can execute arbitrary code (including malware of course) on each computer where Image Uploader is installed. Many millions of people who visit websites of our customers are under the risk. If you are interested what buffer overrun is, here is a Wikipedia article: 

So we urge everybody who uses Image Uploader to upload files to their websites to install the latest version. It is downloadable from the Image Uploader download page.

Now here is a small FAQ.

Q: What versions of Image Uploader are vulnerable?

A: All Image Uploader builds of 4.x family, except of 4.5.70 of course.

Q: What about previous versions?

A: This issue appeared when we added possibility to navigate to the arbitrary folder through the JavaScript. This feature was introduced in the 4.0 version. So if you are using version 3.5 or earlier, this issue does not affect you.

However if you received version 3.x after we officially discontinued it, please contact us. We need to check it out.

Q: Where to download the fixed version?

A: First of all, you can download the latest version from the Image Uploader download page:

Q: How to install the update?

A: The update installation process is the same as described in documentation. In short:

  1. Download the latest .cab file (it should be version 4.5.70 or later).
  2. Replace it on your server.
  3. Update the version number in Image Uploader initialization block. It should be looking like this:
    iu.activeXControlVersion = "4,5,70,0";
Q: Is the update free?

A: This is a minor update. According to our upgrade policy, minor updates are free.

Q: I still have questions. Where I can get more information?

A: Please email us at