WebsiteBaker Community Forum

WebsiteBaker => Security Announcements => Topic started by: Ryan on May 16, 2006, 03:21:17 PM

Title: Security Vulnerabilities in WB <= 2.6.3 sites that support public login, reg.
Post by: Ryan on May 16, 2006, 03:21:17 PM

Hi all,

Unfortunetely we have had a ticket (http://projects.WebsiteBaker.org/websitebaker2/ticket/237) recently regarding possible security vulnerabilities in all current versions of WebsiteBaker (i.e. 2.6.3 or earlier).
After looking at the ticket, and other area's of code more closely, our development team have found several possible flaws that can be exploited.

Thankfully, as I believe, the problems can only be exploited if the frontend login and/or registration is enabled, hopefully making it an isolated case.
At this current time, we haven't fully patched and tested our code.
However, we are working on it and will have an official release (and patch) available with the fixes ASAP.
Another possible (but not yet verified) flaw is with the guestbook module, or any other publicly accessable module that doesn't properly clean users input.

For now, if you are wanting to best protect yourself (mainly for those sites with public login/registration enabled), you can do the following:
- Disabled public login and registration until fixes are made
AND/OR
- Attempt to upgrade to the latest subversion trunk (recommended for advanced users only)

If you would like to export from trunk, please use http://svn.WebsiteBaker.org/websitebaker2/
Thankfully, we recently had anonymous access fixed, so you should easily be able to checkout.

The development team will be sure to keep everyone posted - with the latest important developments to be placed here for your convenience.

If you would like to discuss this post, please do so here (http://forum.WebsiteBaker.org/index.php/topic,3243.0.html) (to avoid cluttering/crowding the thread from important announcements).

Apologies for any inconvenience caused.

Regards,


Ryan Djurovich

Title: Re: Security Vulnerabilities in WB <= 2.6.3 sites that support public login, reg
Post by: Stefan on May 16, 2006, 05:01:10 PM

You can download a patched version of signup2.php from my server:
http://stefan-braunewell.de/wb/download/signup2.php.zip
I strongly advise to do so immediately and replace the file in the directory account by the php file inside the archive.

Title: Re: Security Vulnerabilities in WB <= 2.6.3 sites that support public login, reg
Post by: Ryan on May 17, 2006, 12:12:10 AM

Here is a direct link to the latest version of signup2.php from the subversion repository:
http://projects.WebsiteBaker.org/websitebaker2/browser/trunk/wb/account/signup2.php?format=raw

Title: Re: Security Vulnerabilities in WB <= 2.6.3 sites that support public login, reg
Post by: Ryan on May 21, 2006, 01:53:09 PM

We have finished fixing all possible (known) problems, and the fixes have been included in 2.6.4
I strongly advise updating to it ASAP (a smaller patch-only download will be available in the next few days, so if you can't download the whole file, then please be patient).
Hopefully this will put an end to the security holes discovered recently.