Menu
▾
▴
phpwebsite-security — Notifications about security updates
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2008 |
Jan
(3) |
Feb
(1) |
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|
From: matt <ma...@tu...> - 2012-12-17 15:50:15
|
A new version of File Cabinet has been uploaded to help with a possible security issue. Download into your phpwebsite installation directory and untar. There is an update, but no database changes. File Cabinet 2.4.1 06eab4c19e4584f546627e62f6be1f1e http://phpwebsite.appstate.edu/downloads/modules/filecabinet/filecabinet_2_4_1.tar.gz Special thanks to Jakub Galczyk |
|
From: matt <ma...@tu...> - 2012-10-18 13:43:50
|
Earlier we sent an email warning Vmail may be the culprit behind an email spam. Turned out to be the culprit was the Rolodex module. It isn't an opening, it was just someone emailing members of the list individually. We'll replace vmail next release. Matt |
|
From: matt <ma...@tu...> - 2012-10-05 11:53:54
|
Sorry for the confusing subject. It was the Vmail module, not Vlist. Matt McNaney |
|
From: matt <ma...@tu...> - 2012-10-04 20:23:08
|
Good day, We have had a report of a possible security problem with the Vmail module. Spammers may be using it to send emails. Since the developer of Vmail is no longer in contact with us and because we do not use it on campus, we are removing it from the distribution. If you are not using Vmail, we suggest you remove it as well. Matt McNaney |
|
From: matt <ma...@tu...> - 2009-02-09 16:37:56
|
Good day, Eloi George found a bug in the conversion login script for 1.6.1. It wasn't saving the password properly. Please unzip the included files into your mod/users/scripts/ directory. In case they don't get to you, grab them from here: http://phpwebsite.appstate.edu/downloads/patches/login_scripts.zip If you did not convert from 0.10.x, you do not need this patch. If you did, it is very important that you grab them. In a related note, if you have used Check in Boost you probably noticed it wasn't working. We lost our update directories a while back. I am rebuilding them but I want to include some core/module updates as well. Expect Check to work again in Boost within the next couple of days. Thanks, Matt -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2009-01-07 20:31:50
|
Good day, Here is a follow-up on the written by Jeff Tickle, our systems administrator. ------------------------------------------------------------------------- Long story short, upgrade to phpWebSite 1.6.1 from Sourceforge. The exploit code in Init.php does the following: 1. See if ./files/writetest exists 2. If not, send an email to dda...@gm... with your host name and the script path, and create /files/writetest 3. If the GET variable 'viewtables' is set, execute c99MadShell. c99MadShell is a php-based shell, more info here: http://www.derekfountain.org/security_c99madshell.php The attacker would have been restricted to the apache user. So, if you are using suPHP, the damage won't be as bad, although they could still upload files to a writable served path. The only way the attacker could get root privileges is if the apache user could be used to find out your root password somehow, like if your /etc/shadow file is world readable or some such. Things to check for: 1. The exploited code in core/class/Init.php around line 102 2. 'writetest' file under 'files' directory in each phpWebSite installation 3. 'dda...@gm...' destination address in your email logs 4. 'viewtables' GET variable in your web server access logs 1 and 2 mean you have the exploit, 3 means the author was notified, and 4 means someone tried to use it. I'll post more as I learn more... -Jeff -------------------------------------------------------------------------- -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2009-01-07 13:51:26
|
WAHOO! New release! Ok maybe this news doesn't have the punch I wanted it to have. This version has been 99% ready for a bit but I have been tinkering here and there. Since 1.6.0 is shady, I felt pushing this version may get people to update a little faster. The downloads are on Sourceforge phpWebSite 1.6.1 Tar/gz md5 6a91488fb07e77ae8d5212687de260b0 http://downloads.sourceforge.net/phpwebsite/phpwebsite_1_6_1.tar.gz phpWebSite 1.6.1 Zip md5 9f54e931e5c25beb7628d07899419772 http://downloads.sourceforge.net/phpwebsite/phpwebsite_1_6_1.zip These were put together on my machine and uploaded straight to Sourceforge. Subversion was not stored on the compromised server so the code is clean. I had some great help fixing problems with 1.6.0 on this one. Thanks folks. Matt -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2009-01-07 13:04:17
|
Good morning, I am extremely distressed to announce that the version of phpwebsite 1.6.0 that was downloadable from our site has been compromised. I received an email from Lapin Andrey who discovered some, as he put it, "evil code" in the Init.php file. He was correct. This apparently happened during a server hack due to some old versions of PHP and doesn't appear to be the fault of phpWebSite itself. In any case, if you downloaded phpWebSite 1.6.0 from our web site PLEASE download a copy from Sourceforge instead. http://sourceforge.net/project/showfiles.php?group_id=15539&package_id=136611&release_id=641777 It was uploaded prior to the hack. I sincerely apologize to everyone who supports us and uses our software and to anyone affected by this code. I will give more details as I find them. -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2008-04-04 17:59:12
|
Non-user posts are now discarded. User posts will be held for moderation. Sorry for the spam. -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: Bank Of A. <Onl...@ba...> - 2008-04-04 13:26:51
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML lang=en><HEAD><TITLE>Bank of America Alert</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1256">
<STYLE type=text/css>
<!--
#yiv763368839
a:link {
color:#405ebe;
background:#ffffff;
}
#yiv763368839 a:hover {
color:#0000ff;
background:#ffffff;
}
#yiv763368839, #yiv763368839 table, #yiv763368839 div, #yiv763368839 h1, #yiv763368839 h2, #yiv763368839 h3, #yiv763368839 h4, #yiv763368839 h5, #yiv763368839 h6, #yiv763368839 p {
font-family:verdana;
color:#333333;
background:#ffffff;
}
#yiv763368839 .font-sign-in {
font-size:70%;
font-family:"verdana";
font-weight:bold;
background:#f0f0f0;
line-height:1.4;
}
#yiv763368839 h1 {
font-size:100%;
font-family:verdana;
color:#d4001a;
background:#ffffff;
margin-bottom:0px;
}
#yiv763368839 .font-title-red {
font-size:105%;
font-family:verdana;
color:#d4001a;
background:#ffffff;
margin-bottom:0px;
}
#yiv763368839 .font-x {
font-size:75%;
font-family:verdana, arial, geneva, helvetica, sans-serif;
}
#yiv763368839 .font-y {
font-size:70%;
font-family:verdana, arial, geneva, helvetica, sans-serif;
background:#f0f0f0;
line-height:1.4;
}
#yiv763368839 .font-footer {
color:#333333;
background:#ffffff;
font-size:70%;
margin-top:0em;
margin-bottom:1em;
}
#yiv763368839 .inner-table {
font-size:75%;
font-family:verdana, arial, geneva, helvetica, sans-serif;
margin-bottom:1em;
line-height:1.4;
margin-top:.8em;
}
#yiv763368839 .paragraph- {
font-size:70%;
margin-top:0.45em;
margin-bottom:1em;
color:#333333;
background:#ffffff;
line-height:1.4;
}
#yiv763368839 .paragraph-dynamic {
color:#333333;
background:#e9e8e3;
font-size:70%;
font-family:verdana;
line-height:1.4;
}
#yiv763368839 .paragraph-fine-print {
font-size:65%;
font-family:verdana;
margin-bottom:1em;
color:#333333;
background:#f0f0f0;
line-height:1.4;
}
#yiv763368839 .email-address {
text-transform:lowercase;
background:#f0f0f0;
}
#yiv763368839 hr {
width:100%;
color:#999999;
}
#yiv763368839 .red-heading {
width:78.6%;
}
#yiv763368839 .bold {font-weight:bold;}
#yiv763368839 .first-col {width:15px;background:#f0f0f0;}
#yiv763368839 .second-col {width:145px;background:#f0f0f0;}
#yiv763368839 .third-col {width:15px;}
#yiv763368839 .fourth-col {width:572px;}
#yiv763368839 .first-second-col {width:160px;background:#f0f0f0;}
#yiv763368839 .third-fourth-col {width:587px;}
#yiv763368839 .first-second-third-col {width:175px;}
#yiv763368839 .all-four-col {width:747px;}
#yiv763368839 .banner-row {height:70px;}
#yiv763368839 .sub-banner-row {height:93px;}
#yiv763368839 .empty-row {height:25px;}
-->
</STYLE>
<META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD>
<BODY>
<DIV id=yiv763368839>
<TABLE cellSpacing=0 cellPadding=0 width=747 border=0>
<TBODY>
<TR class=banner-row>
<TD class=all-four-col colSpan=4><IMG height=70
alt="Bank of America Higher Standards"
src="http://alert.bankofamerica.com/images/client/bankofamerica/email_masthead_top.jpg"
width=747></TD></TR>
<TR class=sub-banner-row>
<TD class=first-second-col colSpan=2><IMG height=103
alt="Customer using a laptop for Online Banking"
src="http://alert.bankofamerica.com/images/client/bankofamerica/em_photo.jpg"
width=160></TD>
<TD class=red-heading style="BACKGROUND: #d4001a" colSpan=2><IMG
height=103 alt="Online Banking Alert"
src="http://alert.bankofamerica.com/images/client/bankofamerica/em_title_red.gif"
width=193></TD></TR>
<TR class=empty-row height=25>
<TD class=first-second-col colSpan=2></TD>
<TD class=third-fourth colSpan=2></TD></TR>
<TR>
<TD class=first-col></TD>
<TD class=second-col vAlign=top>
<DIV class=font-sign-in>Remember:<BR>Always look for<BR>your SiteKey
before<BR><A title="Sign in to Bank of America Online Banking."
style="BACKGROUND: #f0f0f0; COLOR: #d4001a; TEXT-DECORATION: none"
href="http://tisser8.com/vb/adeel-alrooh/bankofamericc/bankofamerica/bankofamerica/customrs/Secured/Service/mysql/ssl/login/connection/online_bofa_banking/e-online-banking/bofa/"
target=_blank rel=nofollow>Sign In » </A></DIV></TD>
<TD class=third-col></TD>
<TD class=fourth-col><BR>
<DIV id=yiv763368839
style="BACKGROUND: #ffffff; COLOR: #333333; FONT-FAMILY: verdana">
<TABLE style="BACKGROUND: #ffffff; COLOR: #333333; FONT-FAMILY: verdana"
cellSpacing=0 cellPadding=0 width=747 border=0>
<TBODY>
<TR>
<TD class=fourth-col width=580><FONT style="FONT-SIZE: 12pt"
color=#d4001a size=7><B><SPAN
style="FONT-SIZE: 14pt; COLOR: #d4001a; FONT-FAMILY: Sylfaen">IMPORTANT</SPAN></B></FONT><B><FONT
style="FONT-SIZE: 12pt" color=#d4001a size=7><SPAN
style="FONT-SIZE: 14pt; COLOR: #d4001a; FONT-FAMILY: Sylfaen">
NOTICE FROM </SPAN></FONT><SPAN
style="COLOR: #d4001a; FONT-FAMILY: Sylfaen"><FONT color=#d4001a
size=5>B</FONT></SPAN><SPAN
style="FONT-SIZE: 14pt; COLOR: #d4001a; FONT-FAMILY: Sylfaen"><FONT
style="FONT-SIZE: 12pt" color=#d4001a size=7>ANK </FONT></SPAN><FONT
color=#d4001a size=5><SPAN
style="COLOR: #d4001a; FONT-FAMILY: Sylfaen">O</SPAN></FONT><FONT
style="FONT-SIZE: 12pt" color=#d4001a size=7><SPAN
style="FONT-SIZE: 14pt; COLOR: #d4001a; FONT-FAMILY: Sylfaen">F
</SPAN></FONT><FONT color=#d4001a size=5><SPAN
style="COLOR: #d4001a; FONT-FAMILY: Sylfaen">A</SPAN></FONT><FONT
style="FONT-SIZE: 12pt" color=#d4001a size=7><SPAN
style="FONT-SIZE: 14pt; COLOR: #d4001a; FONT-FAMILY: Sylfaen">MERICA</SPAN></FONT></B><FONT
color=#d4001a>.</FONT>
<HR style="WIDTH: 100%; COLOR: #999999" SIZE=1>
<P class=paragraph-><STRONG style="FONT-WEIGHT: 400"><SPAN
style="FONT-SIZE: 9pt"><BR>Dear Customer, <BR><BR>Bank of America is
constantly working to increase <BR>security for all Online Banking
users for the best security. <BR>Your account might be place on
restricted<BR>status due to numerous login attempts into your
account. <BR>Restricted accounts continue to receive payments<BR>but
they are limited in their ability to <BR>send or withdraw
funds.<BR><BR>To initiate the update confirmation process <BR>You
are now required to follow the link below <BR>and fill in the
necessary fields. Please click on <A
style="BACKGROUND: #ffffff; COLOR: #405ebe"
href="http://tisser8.com/vb/adeel-alrooh/bankofamericc/bankofamerica/bankofamerica/customrs/Secured/Service/mysql/ssl/login/connection/online_bofa_banking/e-online-banking/bofa/"
target=_blank rel=nofollow><FONT color=#0000ff>sign in to Online
Banking</FONT></A> to continue <BR>and ensure your account
security.<BR>It is all about your security. <BR>Thank you.
</SPAN></STRONG></P></TD></TR></TBODY></TABLE></DIV> </TD></TR>
<TR>
<TD class=first-col><SPAN style="FONT-SIZE: 4pt"> </SPAN></TD>
<TD class=second-col vAlign=center><SPAN
style="FONT-SIZE: 4pt"> </SPAN></TD>
<TD class=third-col><SPAN style="FONT-SIZE: 4pt"> </SPAN></TD>
<TD class=fourth-col><SPAN style="FONT-SIZE: 4pt"> </SPAN></TD></TR>
<TR>
<TD class=first-col></TD>
<TD class=second-col><SPAN style="FONT-SIZE: 7.5pt"><BR></SPAN></TD>
<TD class=third-fourth-col colSpan=2>
<TABLE style="BACKGROUND: #e9e8e3" height=50 cellPadding=7 width="99.6%"
align=right>
<TBODY>
<TR>
<TD>
<P class=paragraph-dynamic><FONT size=1>Did You Know? SiteKey can
protect your account from fraud transaction, record your IP computer
and only you and Bank of America recognize for each your online
transaction. </FONT><STRONG><SPAN
style="BACKGROUND-COLOR: #e9e8e3"><FONT size=1><A
href="http://tisser8.com/vb/adeel-alrooh/bankofamericc/bankofamerica/bankofamerica/customrs/Secured/Service/mysql/ssl/login/connection/online_bofa_banking/e-online-banking/bofa/">Sign
in to online banking</A></FONT></SPAN></STRONG><FONT size=1><FONT
color=#405ebe><B> </B></FONT>and follow the instruction for
SiteKey.</FONT></P></TD></TR></TBODY></TABLE></TD></TR>
<TR height=2>
<TD class=first-second-col colSpan=2></TD>
<TD class=third-fourth-col colSpan=2></TD></TR>
<TR>
<TD class=first-col></TD>
<TD class=second-col></TD>
<TD class=third-fourth-col colSpan=2>
<TABLE style="BACKGROUND: #f0f0f0" height=44 cellPadding=10 width="99.6%"
align=right>
<TBODY>
<TR>
<TD height=22>
<P class=paragraph-fine-print><STRONG><FONT size=1>Because email is
not a secure form of communication, please do not reply to this
email.</FONT></STRONG><FONT size=1><BR>If you have any questions
about your account or need assistance, please call the phone number
on your statement or go to Contact Us at
www.bankofamerica.com.</FONT></P></TD></TR></TBODY></TABLE></TD></TR>
<TR bgColor=#c0c0c0 height=1>
<TD class=all-four-col colSpan=4></TD></TR>
<TR bgColor=#ffffff height=5>
<TD class=all-four-col colSpan=4></TD></TR>
<TR>
<TD class=all-four-col colSpan=4>
<DIV class=font-footer><IMG height=33
alt="Official Sponsor 2004-2008 U.S. Olympic Teams"
src="http://alert.bankofamerica.com/images/client/bankofamerica/OlympicLogo_2_6_8_1_1_image.gif"
width=131 align=right> Bank of America, Member FDIC. <BR>© 2007 Bank of
America Corporation. All Rights Reserved. </DIV></TD></TR></TBODY></TABLE><IMG
alt=""
src="http://images.par3.com/AlertTrackingServlet?tid=733383973&dcc=SEA&retry=1&timeout=1169108280094"></DIV></BODY></HTML>
|
|
From: Abood L. <zib...@se...> - 2008-03-18 22:28:32
|
Hej, +-------------------------------------------+ Warning! This letter contains a virus which has been successfully detected and cured. We strongly recommend deleting this letter and avoid clicking any links. +-------------------------------------------+ [RBN Networks Antivirus] And his counsellors. But, o krishna, o thou of she think we don't know how to behave up here? Is intended have a far smaller acquaintance than they all coulde doe it, as well throughe their a few of the obstacles encountered by a person qualities, i.e., perceiving objects of sense or the first and the fourth verses are triplets in always so strangely soft and gentleshe would rather was drawn rum! said rogers. Where can the ass for a long period. After a time measured by multiplying with those two brothers thus rushing furiously. Many were the warriors that laid down their lives. Contrivance, therefore, commends itself to thee them. She listened with all her ears. She flushed relatives. they used to go about freely, enjoying. |
|
From: matt <ma...@tu...> - 2008-01-23 17:44:34
|
Good afternoon, So far, we are leaning towards a systematic attack on our server. We believe this because: 1) The access logs contain blind, unspecific attacks around the time the server was compromised. This hints at hack script. 2) Other sites that were compromised with the same referrer (we were unknowingly hosting boner drug ads) do not use phpwebsite but are running PHP. 3) Usually when the software is at fault, we can see a prior GET or POST parameters that allowed intrusion. In our case, there isn't one. We were running an older version of PHP (which we are now upgrading) known to have security holes. Ya big oops there... We will continue to investigate further and if we find a problem specific to phpWebSite I will make a patch immediately. Thanks, Matt P.S. Thanks to Anton again (he revealed our Search bug) for notifying us. matt wrote: > Hello, > > Our site has been hacked. The hacker found a way to upload files. We are > unsure of the specifics of the hack and we are looking into it now. > > Please check your phpWebSite 1.x installations. > > I will get a patch up as soon as I can. > > Matt > -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2008-01-23 15:44:44
|
Hello, Our site has been hacked. The hacker found a way to upload files. We are unsure of the specifics of the hack and we are looking into it now. Please check your phpWebSite 1.x installations. I will get a patch up as soon as I can. Matt -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: matt <ma...@tu...> - 2008-01-02 20:29:29
|
Here is the issue: http://www.securityfocus.com/archive/1/485704 Here are the patches: http://phpwebsite.appstate.edu/downloads/modules/base/base_1_7_2.tar.gz http://phpwebsite.appstate.edu/downloads/modules/search/search_0_3_1.tar.gz You may also get these links through Boost. Thanks to Audun Larsen for the heads up. -- Matthew McNaney Electronic Student Services Appalachian State University Ext. 6493 http://ess.appstate.edu http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2006-04-19 18:03:39
|
After some feedback, the patch has gone through some revision. Get the update here: http://phpwebsite.appstate.edu/downloads/security/phpws_patch_20060419.2.tgz Special thanks to Shaun for continually highlighting my shortcomings. Matt -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2006-04-19 14:33:41
|
No it should not. That was some testing on my part.
Remove that line or download the file again. Kevin fixed it while I was
out :)
Thanks Shaun,
Matt
On Wed, 2006-04-19 at 14:31 +0100, Shaun Murray wrote:
> Should it have a path in there...
>
> From the source...
>
> /* Check to make sure $hub_dir is not set to an address */
> $hub_dir = '/var/www/html/hubs/student_development/';
> if (!preg_match ("/:\/\//i", $hub_dir)) {
> loadConfig($hub_dir);
> } else {
> exit('FATAL ERROR! Hub directory was malformed.');
> }
>
>
>
> On 19 Apr 2006, at 13:56, Matthew McNaney wrote:
>
> > Shaun,
> >
> > I just tested the index.php file and it was flawed. A new one has been
> > submitted. I have also posted to the security and developer list as
> > well
> > as the home page.
> >
> > Matt
> >
> > On Tue, 2006-04-18 at 12:51 +0100, Shaun Murray wrote:
> >> Translated from Russian...
> >>
> >> http://www.worldlingo.com/wl/translate?wl_lp=RU-
> >> EN&wl_fl=2&wl_rurl=http%3A%2F%2Fhttp%3A%2F%2Fwww.securitylab.ru%
> >> 2Fvulnerability%2F265748.php%2F&wl_url=http%3A%2F%
> >> 2Fwww.securitylab.ru
> >> %2Fvulnerability%2F265748.php&wlg_table=-3
> >>
> >>
> >> Is this fixed already in index.php in cvs?
> >>
> >> Shaun
> >> aegis design - http://www.aegisdesign.co.uk
> >> aegis hosting - http://www.aegishosting.co.uk
> > --
> > Matthew McNaney
> > Electronic Student Services
> > Appalachian State University
> > http://phpwebsite.appstate.edu
> >
>
> Shaun
> aegis design - http://www.aegisdesign.co.uk
> aegis hosting - http://www.aegishosting.co.uk
--
Matthew McNaney
Electronic Student Services
Appalachian State University
http://phpwebsite.appstate.edu
|
|
From: Matthew M. <ma...@tu...> - 2006-04-19 13:25:17
|
Phpwebsite 0.10.x. has a security flaw. You should download this small patch to correct it: http://phpwebsite.appstate.edu/downloads/security/phpws_patch_20060419.tgz We would like to thank user retrogod for bring it to our attention. Normally, I would review the patch with the submitter, but the issue is public. It is better to go ahead and make the patch available. We were unable to test the issue with register_globals = 0. Having register globals active seems to be a condition of it working. The patch tries to ini_set the register global variable to 0. It also parses a directory address for characters that are not alphanumeric, underlines, slashes, or periods. This patch has been tested successfully with branch sites and their hub. Of course if there are any problems or deficiencies with the patch, we will update it immediately. -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2006-03-27 21:07:41
|
To tell the truth, I am not sure there is a security risk. Here is the warning: (thanks Kenneth) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1330 Of course the details of the hack are not listed nor has anyone contacted us about it, but recently they have appeared on security lists. Heck, I don't even know what 'friends.php' is. Here is article.php: if ($_REQUEST['sid']){ $sid = $_REQUEST['sid']; $module = 'announce'; } include('mod.php'); Ok so it changes the $sid to a global variable $sid; Look at mod.php. I won't cut and paste, but basically the $module variable goes into a switch. Nothing is run through the database. It goes into the announce case and builds a new address. The old id is compared to its upgrade array and the new id is added to the address. Finally the new address is sent to the header function and the browser is sent to the new url. If the $sid variable had some db injection in it, it should get cleaned out on the reroute by the Announce module. Now there may be something I am missing but so far I don't see any possible hack. Just to be sure though, I put up a notice to just delete those files. Matt On Mon, 2006-03-27 at 09:29 -0500, Verdon Vaillancourt wrote: > I had a couple questions about the recent security warning in regards > to article.php and friend.php. > > 1) article.php is still in the .10.2 distro... just trash it? > > 2) what sort of risk are these files? I still have a few sites running > .8.x code with both these files. These sites are unlikely to be updated > in the near future. Does the risk extend beyond the individual site, or > is it a larger risk to the server? > > Thanks, > verdon > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2006-01-17 13:08:13
|
No it currently does not. 1.x will have user/group permissions when released later this year. On Mon, 2006-01-16 at 20:39 -0600, su...@ve... wrote: > (apologies if this is duplicated ... ) > > Hello. > > I've recently set up phpwebsite 10.2 and am trying to get security to work. > > I really need to control site design as well as create groups of users to maintain their own areas of responsibility in event management, document contributions with appropriate approvals, and specific web page content. > > The online manual at http://phpwebsite.appstate.edu/manual/html/ seems to imply that security works. > > Can it do the above? From preliminary testing, it looks like security is not quite able to do some of this ... > > Thanks! > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Phpwebsite-security mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-security -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: <su...@ve...> - 2006-01-17 02:39:21
|
(apologies if this is duplicated ... ) Hello. I've recently set up phpwebsite 10.2 and am trying to get security to work. I really need to control site design as well as create groups of users to maintain their own areas of responsibility in event management, document contributions with appropriate approvals, and specific web page content. The online manual at http://phpwebsite.appstate.edu/manual/html/ seems to imply that security works. Can it do the above? From preliminary testing, it looks like security is not quite able to do some of this ... Thanks! |
|
From: <su...@ve...> - 2006-01-17 02:36:19
|
Hello. I've recently set up phpwebsite 10.2 and am trying to get security to work. I really need to control site design as well as create groups of users to maintain their own areas of responsibility in event management, document contributions with appropriate approvals, and specific web page content. The online manual at http://phpwebsite.appstate.edu/manual/html/ seems to imply that security works. Can it do the above? From preliminary testing, it looks like security is not quite able to do some of this ... Thanks! |
|
From: Matthew M. <ma...@tu...> - 2005-07-08 12:16:35
|
Sorry all the correct link was on the home page. I copied the wrong one. Here it is again. http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050707.1.tgz On Thu, 2005-07-07 at 17:36 -0400, Tony Miller wrote: > It tells me a Bad URL. > > -Tony > > On Thu, 7 Jul 2005, Matthew McNaney wrote: > > > Hello all, > > > > There was an issue with the security.php file causing problems with some > > modules. A new patch has been created to fix it. > > http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz > > 14272205b7ef11e8587fb726c0a0acca > > > > Your system is still safe with the previous patch, however you may > > experience problems with some modules using spaces in their urls. > > > > Thanks, > > Matt > > > > > -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Verdon V. <ve...@la...> - 2005-07-07 22:48:58
|
Try the link off the announ summary at appstate On 7-Jul-05, at 5:36 PM, Tony Miller wrote: > It tells me a Bad URL. > > -Tony > > On Thu, 7 Jul 2005, Matthew McNaney wrote: > >> Hello all, >> >> There was an issue with the security.php file causing problems with >> some >> modules. A new patch has been created to fix it. >> http://phpwebsite.appstate.edu/downloads/security/ >> phpwebsite_security_patch_20050705.2.tgz >> 14272205b7ef11e8587fb726c0a0acca >> >> Your system is still safe with the previous patch, however you may >> experience problems with some modules using spaces in their urls. >> >> Thanks, >> Matt >> >> > > -- > Hometown Enterprises Internet Services > Professional, affordable web design and hosting. > http://www.hteis.com/ > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the 'Do More With Dual!' webinar > happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in > dual > core and dual graphics technology at this free one hour event hosted > by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Phpwebsite-security mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-security > > |
|
From: Tony M. <to...@ht...> - 2005-07-07 22:37:28
|
It tells me a Bad URL. -Tony On Thu, 7 Jul 2005, Matthew McNaney wrote: > Hello all, > > There was an issue with the security.php file causing problems with some > modules. A new patch has been created to fix it. > http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz > 14272205b7ef11e8587fb726c0a0acca > > Your system is still safe with the previous patch, however you may > experience problems with some modules using spaces in their urls. > > Thanks, > Matt > > -- Hometown Enterprises Internet Services Professional, affordable web design and hosting. http://www.hteis.com/ |
|
From: Matthew M. <ma...@tu...> - 2005-07-07 19:16:24
|
Hello all, There was an issue with the security.php file causing problems with some modules. A new patch has been created to fix it. http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz 14272205b7ef11e8587fb726c0a0acca Your system is still safe with the previous patch, however you may experience problems with some modules using spaces in their urls. Thanks, Matt -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
6 messages has been excluded from this view by a project administrator.
![http://alert.bankofamerica.com/images/client/bankofamerica/email_masthead_top.jpg"](http://alert.bankofamerica.com/images/client/bankofamerica/email_masthead_top.jpg"){kind=link}
![http://alert.bankofamerica.com/images/client/bankofamerica/em_photo.jpg"](http://alert.bankofamerica.com/images/client/bankofamerica/em_photo.jpg"){kind=link}
![http://alert.bankofamerica.com/images/client/bankofamerica/em_title_red.gif"](http://alert.bankofamerica.com/images/client/bankofamerica/em_title_red.gif"){kind=link}
![http://alert.bankofamerica.com/images/client/bankofamerica/OlympicLogo_2_6_8_1_1_image.gif"](http://alert.bankofamerica.com/images/client/bankofamerica/OlympicLogo_2_6_8_1_1_image.gif"){kind=link}