e107 vulnerability

admin by admin in

Thought I'd better post this for anyone that's worried about this vulnerability that's been reported.

Thought I'd better post this for anyone that's worried about this vulnerability that's been reported.

The code that's been posted to enable anyone to grab a dump of the database has been incorrectly written, however there is a chance it could be used if the code is altered slightly. For this reason I'd recommend deleting the db.php from the /admin folder of your e107 installation. The db_dump code was (as stated during the time of it's release) alpha code and depending on some php.ini settings did not give a reliable backup anyway, but was left pending a rewrite which has now happened for the upcoming 0.600 release. And just to put everyone's minds at rest, all passwords are one-way encrypted so even if someone managed to obtain a dump they would not be able to gain access to your site or change any information or data contained therein.

I apologise for this problem - I've focused heavily on security issues from the very first version of e107 but this one completely slipped by.

More info at http://securityfocus.com/archive/1/330390/2003-07-22/2003-07-28/2


Social Links