Securitry vulnerability in WB <= 2.6.5 with REMEMBER_ME feature

[Ryan]

Hi all,

Yesterday I discovered a recent ticket regarding a possible vulnerability in WebsiteBaker version 2.6.5 (or earlier).
To view the ticket please visit: http://projects.WebsiteBaker.org/websitebaker2/ticket/376

Please make note of the following information:

Successful exploitation requires that "magic_quotes_gpc" is disabled.

This means that most users should be safe, as magic_quotes_gpc is turned on by default.

Since discovering the exploit, our Development team, specifically Matthias, has worked hard to provide a fix.
There is a single file that has been modified...
- to view changes, please see: http://projects.WebsiteBaker.org/websitebaker2/changeset/423
- to download the file, visit: http://projects.WebsiteBaker.org/websitebaker2/browser/branches/2.6.x/wb/framework/class.login.php?format=raw

Alternatively, you can export the following Subversion URL for a "snapshot" of the soon-to-be-released 2.6.6:
http://svn.WebsiteBaker.org/websitebaker2/branches/2.6.x/

As mentioned above, 2.6.6 will be released soon - it just has to be officially tested and released.

We have done our best to respond to this problem as quick as possible, as we realise it may seriously affect some users.
For this purpose, we have placed this announcement in the security announcements board.

I would like to thank the Development team for their great work on this fix

Ryan.

[ruebenwurzel]

Hello,

i specially wanna thanks ozsynergy who posted the fix in this thread:

http://forum.WebsiteBaker.org/index.php/topic,5241.msg32953.html#msg32953

Matthias

[Ryan]

Matthias,

There is no need for you link as the file I mentioned above can be downloaded via Trac using:
http://projects.WebsiteBaker.org/websitebaker2/browser/branches/2.6.x/wb/framework/class.login.php?format=raw
or even straight out of svn using:
http://svn.WebsiteBaker.org/websitebaker2/branches/2.6.x/wb/framework/class.login.php
(some browsers may need to right click "save as").
 

Ryan.

[ruebenwurzel]

Hello,

sorry, removed the link.

Matthias

[tomhung]

can we start a mailing list that emails admins with security advisories?  It would help to have a push system instead of a pull.  IE.  I forget to check the forums and dont want to be 120 days vuln to exploits.

G

[tomhung]

At least put a Sticky message in Announcements > Security Announcements that advises to click "Notify" on the page to get new threads in that forum. 

G

[Waldschwein]

Hi!
Well, I suggest a news page or a really noticable news module on the frontpage of WebsiteBaker.org like every (I don't no one besides WB that hasn't it) other web-software.
The forum is quite confused and not very user friendliy I think, especially the section for languages besides english. And in the guest forum there are spam posts for days...

Greets Michael

[tomhung]

we need something people can subscribe to.  i sorta pay attention to this kinda stuff and missed this vuln for 6 months.  this is because it is a pull system.