Menu
▾
▴
phpwebsite-security — Notifications about security updates
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2006 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2008 |
Jan
(3) |
Feb
(1) |
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|
From: Matthew M. <ma...@tu...> - 2005-07-05 18:19:02
|
Diabolic Crab, an independent security researcher at Hackers Center has revealed some security weaknesses in phpWebSite. Mr. Crab was kind enough to contact us before these holes become public knowledge. Please download the security patch and untar it in your phpWebSite version 0.10.1 installation directory. http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2005-07-05 12:21:38
|
Hello, There will be a security patch released today addressing vulnerabilities revealed by the Diabolic Crab. He/She was kind enough to point them out before summarizing them to the hackers. Please watch your email or the home site for more information. Our policy is to not discuss the venerability until they are posted elsewhere or people have had a reasonable amount of time to patch. Should have more soon so stay tuned. -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2005-03-01 14:50:42
|
Just a reminder, If you haven't updated your copy of phpwebsite with the new patch, please visit our home page and grab a copy. The patch was updated yesterday with some bug fixes. -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Matthew M. <ma...@tu...> - 2005-02-25 23:09:07
|
We have created an updated patch. http://phpwebsite.appstate.edu/downloads/security/phpws_files_security_patch.tgz It contains the search fix and a new function in the index.php that scrubs ANY uploaded file. This fix should work for all modules. The calendar and announcement patch file are still on the site. Thank you for your patience with this issue. -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Brian W. B. <br...@tu...> - 2005-02-25 21:00:55
|
Last night, a security issue was posted to Bugtraq concerning phpWebSite. You need to take immediate steps to secure your system. Download the security patch at http://phpwebsite.appstate.edu/downloads/security/phpws_image_secure_patch.tgz Untar the file in your phpwebsite installation directory. It will replace: mod/calendar/class/Event.php mod/calendar/class/Form.php mod/announce/class/Announcement.php mod/search/class/Search.php This patch will prohibit normal users from uploading images. I will also note that this issue was not sent to us before posted to Bugtraq so we were forced to investigate after being alerted. Sorry for the short notice. -- Brian W. Brown Director, Electronic Student Services Room 269, John Thomas Hall Appalachian State University Boone, NC 28608 vox: 828-262-7124 http://ess.appstate.edu/ http://phpwebsite.appstate.edu/ |
|
From: Steven L. <st...@tu...> - 2005-01-14 19:53:49
|
Hello Everyone, A security vulnerability was recently brought to our attention in which someone could hijack a session if they were able to retrieve a url that had a valid session id in it (ie. HTTP Referrer). This problem only affects sites that allow for the session id to be passed in the url when cookies are rejected. The fix has been applied to the current CVS tree. If you are worried that your site is vulnerable, then the file with the fix can be downloaded from here: http://res1.stddev.appstate.edu/horde/chora/co.php/phpwebsite/core/Core.php?login=2&r=1.135&p=1 FYI: can only be applied to phpWebSite versions 0.9.3-2 or greater Diffs are available here: http://tux.appstate.edu/pipermail/phpwebsite-cvs-notice/2005- January/008774.html Sites which only allow sessions via cookies are not vulnerable. -- The phpWebSite Development Team |
|
From: Steven L. <st...@tu...> - 2004-11-16 21:41:30
|
Sorry Everyone I am having a real bad day :( File I just emailed about was 0 bytes. http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core- security-patch2.tar.gz md5sum: 1b3153eed4c026289f8744f65e8b922a Just untar in you phpwebsite base. -- Steven Levin Computer Systems Admin I Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Steven L. <st...@tu...> - 2004-11-16 21:21:45
|
On Thu, 2004-11-11 at 10:54 -0500, Steven Levin wrote: > A security vulnerability was brought to our attention recently and we > have posted a patch to resolve this issue. The patch can be downloaded > from here: > > http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz > md5sum: fcefda44a8d691c844593d815479a1ce > > This patch should only be applied to versions 0.9.3-2 or greater. All > you need to do is untar the file in the base directory of your > phpwebsite install. > > Thanks to Maestro De-Seguridad for bringing this problem to our > attention. > > We will discuss the security hole in more detail after people have had a > chance to apply the patch A small issue was found with the first security patch, nothing major. Please download the latest version and apply. http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core- security-patch2.tar.gz md5sum: d41d8cd98f00b204e9800998ecf8427e Sorry for any inconvenience. Thanks phpWebSite Development Team -- Steven Levin Computer Systems Admin I Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
|
From: Steven L. <st...@tu...> - 2004-11-11 16:07:05
|
A security vulnerability was brought to our attention recently and we have posted a patch to resolve this issue. The patch can be downloaded from here: http://phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch2.tar.gz md5sum: fcefda44a8d691c844593d815479a1ce This patch should only be applied to versions 0.9.3-2 or greater. All you need to do is untar the file in the base directory of your phpwebsite install. Thanks to Maestro De-Seguridad for bringing this problem to our attention. We will discuss the security hole in more detail after people have had a chance to apply the patch. The phpWebSite Development Team -- Steven Levin Computer Systems Admin I Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
6 messages has been excluded from this view by a project administrator.
