• cauld
  • Administrator
  • Offline
  • From: California, USA
  • Registered: 2008-05-02
  • Posts: 599

Topic: Recent Security Report

Hello everyone,

You may or may not be aware, but within the last day or two there has been a SQL Injection security report flying around the web.  We have taken time to carefully review the report and wanted to make you aware of our finding.  The report can be found here for reference - http://secunia.com/advisories/31584/.

The first three reported exploits claim that input passed to the "id" parameter in index.php (when "option" is set to "com_content" and "task" to "view", "category", or "blogsection") is not properly sanitized before being used in SQL queries.

This problem is the incorrect sanitization of $id in the mod_socialbits.php .

We'll provide an immediate patch very shortly.

Thanks for your patience and understanding


MiaCMS Team

http://brilaps.com
http://opensourcepenguin.net

cauld's Website

  • ocs
  • Administrator
  • Offline
  • From: San Francisco, CA
  • Registered: 2008-05-02
  • Posts: 454

Re: Recent Security Report

Hello all,

The patch is available for download at http://miacms.googlecode.com/files/MiaC … atch_1.zip

or, http://code.google.com/p/miacms/downloads/list

Please download the take a look at the README.TXT in the zipfile.

Happy patchin'

http://brilaps.com || http://blog.ocszone.com || http://miacms.org

ocs's Website

  • From: Ankara, TURKEY
  • Registered: 2008-05-28
  • Posts: 150

Re: Recent Security Report

thanks guys

Last edited by masoksian (2008-08-27 22:43:39)

Linux, Delphi, Eclipse,
  • From: IRAN ~ U.A.E
  • Registered: 2008-05-12
  • Posts: 47

Re: Recent Security Report

thanks guys wink

پشتیبانی فارسی مدیریت محتوای مامبو جوملا
پشتیبانی فارسی  انجمن اس ام اف SMF

mambolearn's Website

  • From: Hannover, Germany
  • Registered: 2008-05-16
  • Posts: 28

Re: Recent Security Report

Hi, I'm a guy wearing suspenders and belt - i.e. I am running 4.6.4 and 4.6.5 parallel.
I applied the patch to 4.6.5 - went like charm (thank you guys for your great work).
Should/Can I apply the patch to the 4.6.4 site too?

Edward Abbey: "When the situation is hopeless, it's too late to be serious, be playful...."

baerdel's Website

  • From: Florida, USA
  • Registered: 2008-05-12
  • Posts: 88

Re: Recent Security Report

Hi,

I would update the 4.6.4 to the latest and apply the patch keeping both up-to-date.

People should keep their cms up to date.

www.xtremeopensource.org | www.gemologyexchange.com

hazman's Website

  • cauld
  • Administrator
  • Offline
  • From: California, USA
  • Registered: 2008-05-02
  • Posts: 599

Re: Recent Security Report

Outside of the security patch there are a few other minor fixes in there too so you should upgrade to 4.6.5 first and then apply the patch.

http://brilaps.com
http://opensourcepenguin.net

cauld's Website

  • ocs
  • Administrator
  • Offline
  • From: San Francisco, CA
  • Registered: 2008-05-02
  • Posts: 454

Re: Recent Security Report

removing those security posts. obvious spams. disregard whatever was in those posts.

http://brilaps.com || http://blog.ocszone.com || http://miacms.org

ocs's Website