Menu
▾
▴
[Phpwebsite-developers] Security Patch for 0.10.1
|
From: Matthew M. <ma...@tu...> - 2005-10-12 17:01:17
|
Hello, A couple of our sites were tampered with today. The culprit was a weakness in 0.10.1. (some of our sites have not been updated). The hacker was able to get an admin password and brute force the hash. You can grab the security patch from: http://prdownloads.sourceforge.net/phpwebsite/phpwebsite_security_patch_20051202.tgz?download It contains an upgrade to security.php, Search.php, and Core.php. Basically the "module" variable was not getting parsed for foreign characters and injected directly into an SQL query. This was bad design on an older module. 0.10.2 contained code to prevent this, but you may want to install the patch anyway. If there are any problems with the patch, please reply to the list. If you are running 0.10.1, you will probably be safe if your password has mixed alphanumeric characters. We would still recommend changing your password after installing the patch. Thanks, phpWebSite Development Dudes -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
