WebsiteBaker 2.13.8 is now available!
R.I.P Dietmar (luisehahne) and thank you for all your valuable work for WBhttps://forum.websitebaker.org/index.php/topic,32355.0.html
All PHP related vulnerabilities are fixed in WB-2.8.3-SP4The one of FCK will be fixed soon also... but there is no danger for sever running apache under linux: "The vulnerability requires that the remote server be running IIS". And remember: WB is developed to run under Linux/Apache primary. Manuela
Wo kann ich jetzt ein SP 4 oder 5 downloaden?
Quote from: kurt peter eibes on June 19, 2015, 10:30:53 PMWo kann ich jetzt ein SP 4 oder 5 downloaden?http://wiki.WebsiteBaker.org/doku.php/downloads
All PHP related vulnerabilities are fixed in WB-2.8.3-SP4The one of FCK will be fixed soon also... but there is no danger for sever running apache under linux: "The vulnerability requires that the remote server be running IIS". And remember: WB is developed to run under Linux/Apache primary.
why the next WB version 2.8.4 is brought to the users unsual from modern software standards with known unsafe modules and what the real (very important?) reasons for this strange strategy are?
original: New Reports of a Vulnerability in IIS from MSRC Team, 27 Dec 2009Hi everyone,On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.
SQL Injection: /wb/admin/pages/modify.php?page_id=1
/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1§ion_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0
/*// be sure is is numeric$page_id = intval($page_id);$section_id = intval($section_id);*/
Um dieser Angriffssart vorzubeugen, wurde in PHP-Version 5.1.2 die Funktion zum Senden von Header-Daten überarbeitet. Attacken wie eben beschrieben sind deswegen auf aktuellen PHP-Systemen nicht mehr durchführbar.