e107, We've kept it simple, even Sir Stupid says so
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     80 open | 5030 total | Stats
Issue tracking (Jira) Issue tracking (Jira)
Feature Requests Feature Requests
     1372 open | 2139 total
SVN Tree SVN Tree
Released Files Released Files
Download Stats Download Stats
How to get SVN version How to get SVN version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

Security Update 0.7.20 released

Secunia Research contacted us a few days ago about two potential security issues. We have been working to reproduce and fix the issues, while they have held off making them public.

While I won't go into too much detail, I will say that one involves being able to upload a malicious file. It requires an odd set of preferences and a missing file to allow it to happen though, so the threat is pretty low in our opinion.
The other was a js code injection. The user was able to inject some js code that would run if an admin edited the users post. This was only open if the site had the 'personal content manager' option enabled in the content plugin.

Both have now been fixed...thanks again to Secunia for pointing them out to us.

Of course, the release also includes all other bug fixes that have been committed since the last release.

Link to downloads here: http://e107.org/edownload.php

Changes found here in the changelog


posted by McFly on Thursday 15 April 2010 - 22:03:18


Comments

C6Dave on 16 Apr : 01:39

Well that caught me by surprise this morning.

Thanks for making e107 as secure as possible everyone.

John Davis on 16 Apr : 10:34

Thanks for the update on the ball, as usual.

just a quick question. after updating, my file checker is throwing up the same errors (across 3 sites all on different servers) in: ver.php and user.php as after the v0.7.19 update? has this not been corrected from the last release?

Many thanks again for your superb work

C6Dave on 16 Apr : 11:52

I was using SVN and I had a lot of files that weren't validating using the v7.20 core image so I replaced those files from the full release and all is now fine

Last time there was an issue with McFly's timezone on creating the build if my memory serves me right so use the core image file from v0.7.12 full zip and replace any 'non validating' files from that as well would be my advice

rgk on 17 Apr : 17:17 Member Of The e107 Support Team

ty for the release

Sobat on 18 Apr : 11:00

Thanks !
Upgrade done on 3 sites without any problem

RNS on 18 Apr : 17:14

I seemed to have lost some of my text edits on custom pages. I can't get a line return to work. Was okay before the upgrade. My text rendering is set as WYSIWYG.

Sorry if this comment should have gone elsewhere...

nlstart on 18 Apr : 19:13

@RNS: please post upgrade/installation problems in the forum: click to open link in new window

migs on 19 Apr : 06:15

Secunia is saying that 6 of 26 advisories are still unpatched. Is this just a case of them not being updated on the patches, or are there still issues which remain unsolved?

Either way, it isn't good for the e107 image.

C6Dave on 19 Apr : 07:11

If there were known issues, they would have been fixed for v0.7.20

The Beer In Me on 19 Apr : 09:41

Everything working well. I did a .18 to .20 update. No problems found. Thanks for the update!

josicoesp on 19 Apr : 10:57

Updated without problems

Here the translated to spanish

migs on 19 Apr : 11:15

2dopey said
If there were known issues, they would have been fixed for v0.7.20


I figured as much, but felt it worth mentioning

steved on 19 Apr : 13:03

@migs - have certainly looked at all those vulnerabilities, and pretty certain all fixed (some rather a long time ago) - just wanted to be sure before contacting Secunia. Got rather diverted by more immediate threats!

migs on 19 Apr : 14:40

Steve, that's exactly what I thought, hence my first question being about whether it was just a case of updating Secunia.

Whilst I was there, I had a scout around. Joomla and Drupal show no outstanding advisories for the core files, but seem to have a ton of issues with plugins. Wordpress has about half a dozen outstanding for the core and a million widget issues. Presumably the plugin/widget issues are 3rd party.

greenpike on 20 Apr : 13:09

All working. Well done, everyone.

Maleko on 22 Apr : 07:23

Updated without problems, thanks!

novabcfc on 24 Apr : 23:20

I received this email today. how would I know if this is covered in this update?

ello,

Your account, xxxxxxx has files which are infected with viruses or are otherwise concerning.

You can find a list of potential problem files below.
Contact click to send email if you have any questions.

Note that files named core.* can be deleted outright. Most files that mention 'broken executable' are safe to retain. If any of the below files references trojan, bot or worm, it must be removed immediately and the software within your account must be kept up to date to prevent any future exploitations.

/home/xxxxxx/public_html/e107_plugins/calendar_menu/readme.pdf: Exploit.PDF-21809

Thank you,
Fused Network Support

Duce on 25 Apr : 09:14

That looks like a false positive from a clamav scan...
Ask the server administrators to update their anti-virus scanners.

acdb on 13 May : 06:11

About time this was patched!

I had someone upload that "malicious file" to my server. Logs here: click to open link in new window

A few ways to protect yourself:
1) In your php.ini file, set "allow_url_fopen = Off" and "allow_url_include = Off" since the hack depends on them.
2) In Apache's httpd.conf, disable PHP Engine in EVERY folder that has write access.


You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
Bug Tracking Software
Render time: 0.1497 sec, 0.1013 of that for queries. Memory Usage: 2,967kB