Joomla! Forum - community, help and support

[mod note | astgeorge]
There has recently been discovered a security alert for the extension AEC (Account Expiration Control). The extension has temporarily been suspended from the JED (Joomla! Extensions Directory) and the developer has been contacted.

This exploit allows for an attacker to remotely execute arbitrary SQL commands via the usage parameter in the subscribe action. Doing this an attacker could potentially gain access to your SQL DB as well as inject code into your template index.php file. You can read more about this exploit at the National Vulnerability Database located here:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2632

ad also here:

http://xforce.iss.net/xforce/xfdb/42794

Further more there have been some nasty PERL scripts created to automate this exploit. I will not be posting the links to said automated scripts in this post with the fear they they might be used for harm rather then good. The recommendation is that if you are currently using this extension, discontinue use immediately until we have notice of a patch created by the extensions developer. To see if you have been exploited check your index.php file or view your source on your main page and look for any unwanted or on solicited code.

cheers

Aaron

After some back and forth (and a lot of me being boneheaded), I can confirm this. I also have a fix which I will release within 24 hours (as the next release candidate for the upcoming stable version). The release will be announced on the globalnerd.org forums. My apologies for the serious inconvenience caused.

skOre,

No need to apologize what is important is that you are doing what needs to be done to fix it and having the composure to deal with the issue in a professional manner. I personally use your component with paid support on my production website. So after we found the vulnerability I was a tad bit disappointed however I am very excited to see you so proactive in pursuing a fix. Please let me know when you have something as I would like to implement it so that I can feel comfortable continuing to use your extension.

cheers

Aaron
[astgeorge]

PM sent.

I worked some more extra hours last night and have the problem fixed. This will indeed be released later today along with some more fixes and features.

skOre wrote:. This will indeed be released later today along with some more fixes and features.

Any progress my friend?

Leo

Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.

No issue on delay,

Glad to see that you are so committed and acting fast.

Gudo's for that!

Leo

note: my msg on your forum stand though

skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.

Thanks skOre for your immediate response!! I am looking forward to that release, hopefully today...

skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.

scOre, could you please start a new pinned thread on your forum with the release of the new version? That would make it easier for everyone to see...

Thank you again!!

Will do.

It did took me a bit longer, but here is the release announcement for an updated version:

Globalnerd.org Development Forums (free registration required)

Thank you skOre!! AEC is great, but the support you provide is what is all about!!
Cheers, friend...

Well, after such a thing happened, I take that with a grain of salt, but thanks for the heads up!

I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.

skOre wrote:I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.

Hi skOre, Is this updated stable version fully compatible with Joomla 1.0.15?

Hi there,

No, the stable is only compatible up to version 1.0.13 - and always was only compatible to that. I'm afraid you have to use the development version for anything later.

I just heard about this security alert. All of a sudden my AEC stopped working and I get 404 errors. Any other software I can use.

Since the security error has been fixed I guess you could also go with updating?

Besides - stopping to work and punching out 404 errors is something that the AEC does not do very often (well, actually not at all). You might want to contact our support on that.