Unfortunetely we have had a ticket
recently regarding possible security vulnerabilities in all current versions of WebsiteBaker (i.e. 2.6.3 or earlier).
After looking at the ticket, and other area's of code more closely, our development team have found several possible flaws that can be exploited.
Thankfully, as I believe, the problems can only be exploited if the frontend login and/or registration is enabled, hopefully making it an isolated case.
At this current time, we haven't fully patched and tested our code.
However, we are working on it and will have an official release (and patch) available with the fixes ASAP.
Another possible (but not yet verified) flaw is with the guestbook module, or any other publicly accessable module that doesn't properly clean users input.
For now, if you are wanting to best protect yourself (mainly for those sites with public login/registration enabled), you can do the following:
- Disabled public login and registration until fixes are made
- Attempt to upgrade to the latest subversion trunk (recommended for advanced users only)
If you would like to export from trunk, please use http://svn.WebsiteBaker.org/websitebaker2/
Thankfully, we recently had anonymous access fixed, so you should easily be able to checkout.
The development team will be sure to keep everyone posted - with the latest important developments to be placed here for your convenience.
If you would like to discuss this post, please do so here
(to avoid cluttering/crowding the thread from important announcements).
Apologies for any inconvenience caused.