Yesterday I discovered a recent ticket regarding a possible vulnerability in WebsiteBaker version 2.6.5 (or earlier).
To view the ticket please visit: http://projects.WebsiteBaker.org/websitebaker2/ticket/376
Please make note of the following information:
Successful exploitation requires that "magic_quotes_gpc" is disabled.
This means that most users should be safe, as magic_quotes_gpc is turned on by default.
Since discovering the exploit, our Development team, specifically Matthias, has worked hard to provide a fix.
There is a single file that has been modified...
- to view changes, please see: http://projects.WebsiteBaker.org/websitebaker2/changeset/423
- to download the file, visit: http://projects.WebsiteBaker.org/websitebaker2/browser/branches/2.6.x/wb/framework/class.login.php?format=raw
Alternatively, you can export the following Subversion URL for a "snapshot" of the soon-to-be-released 2.6.6:http://svn.WebsiteBaker.org/websitebaker2/branches/2.6.x/
As mentioned above, 2.6.6 will be released soon - it just has to be officially tested and released.
We have done our best to respond to this problem as quick as possible, as we realise it may seriously affect some users.
For this purpose, we have placed this announcement in the security announcements board.
I would like to thank the Development team for their great work on this fix