Important Security Alert - AEC Subscription Extension

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
astgeorge
Joomla! Ace
Joomla! Ace
Posts: 1270
Joined: Thu Feb 22, 2007 9:19 pm
Contact:

Important Security Alert - AEC Subscription Extension

Post by astgeorge » Wed Jun 18, 2008 8:39 pm

[mod note | astgeorge]
There has recently been discovered a security alert for the extension AEC (Account Expiration Control). The extension has temporarily been suspended from the JED (Joomla! Extensions Directory) and the developer has been contacted.

This exploit allows for an attacker to remotely execute arbitrary SQL commands via the usage parameter in the subscribe action. Doing this an attacker could potentially gain access to your SQL DB as well as inject code into your template index.php file. You can read more about this exploit at the National Vulnerability Database located here:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2632

ad also here:

http://xforce.iss.net/xforce/xfdb/42794

Further more there have been some nasty PERL scripts created to automate this exploit. I will not be posting the links to said automated scripts in this post with the fear they they might be used for harm rather then good. The recommendation is that if you are currently using this extension, discontinue use immediately until we have notice of a patch created by the extensions developer. To see if you have been exploited check your index.php file or view your source on your main page and look for any unwanted or on solicited code.

cheers

Aaron
Aaron St. George

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Thu Jun 19, 2008 1:41 am

After some back and forth (and a lot of me being boneheaded), I can confirm this. I also have a fix which I will release within 24 hours (as the next release candidate for the upcoming stable version). The release will be announced on the globalnerd.org forums. My apologies for the serious inconvenience caused.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

User avatar
astgeorge
Joomla! Ace
Joomla! Ace
Posts: 1270
Joined: Thu Feb 22, 2007 9:19 pm
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by astgeorge » Thu Jun 19, 2008 2:01 am

skOre,

No need to apologize what is important is that you are doing what needs to be done to fix it and having the composure to deal with the issue in a professional manner. I personally use your component with paid support on my production website. So after we found the vulnerability I was a tad bit disappointed however I am very excited to see you so proactive in pursuing a fix. Please let me know when you have something as I would like to implement it so that I can feel comfortable continuing to use your extension.

cheers

Aaron
[astgeorge]
Aaron St. George

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Thu Jun 19, 2008 9:09 am

PM sent.

I worked some more extra hours last night and have the problem fixed. This will indeed be released later today along with some more fixes and features.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by leolam » Fri Jun 20, 2008 3:13 pm

skOre wrote:. This will indeed be released later today along with some more fixes and features.
Any progress my friend?

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Fri Jun 20, 2008 3:29 pm

Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by leolam » Fri Jun 20, 2008 3:39 pm

No issue on delay,

Glad to see that you are so committed and acting fast.

Gudo's for that!

Leo 8)

note: my msg on your forum stand though
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

jasonpel
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jun 20, 2008 4:23 pm

Re: Important Security Alert - AEC Subscription Extension

Post by jasonpel » Fri Jun 20, 2008 4:42 pm

skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
Thanks skOre for your immediate response!! I am looking forward to that release, hopefully today... :)

jasonpel
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jun 20, 2008 4:23 pm

Re: Important Security Alert - AEC Subscription Extension

Post by jasonpel » Fri Jun 20, 2008 4:49 pm

skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
scOre, could you please start a new pinned thread on your forum with the release of the new version? That would make it easier for everyone to see...

Thank you again!!

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Fri Jun 20, 2008 5:08 pm

Will do.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Sat Jun 21, 2008 12:29 am

It did took me a bit longer, but here is the release announcement for an updated version:

Globalnerd.org Development Forums (free registration required)
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

jasonpel
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jun 20, 2008 4:23 pm

Re: Important Security Alert - AEC Subscription Extension

Post by jasonpel » Sat Jun 21, 2008 12:43 am

Thank you skOre!! AEC is great, but the support you provide is what is all about!!
Cheers, friend... :D

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Sat Jun 21, 2008 7:29 am

Well, after such a thing happened, I take that with a grain of salt, but thanks for the heads up!
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Sat Jun 21, 2008 9:23 am

I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

jasonpel
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jun 20, 2008 4:23 pm

Re: Important Security Alert - AEC Subscription Extension

Post by jasonpel » Sat Jun 21, 2008 2:38 pm

skOre wrote:I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.
Hi skOre, Is this updated stable version fully compatible with Joomla 1.0.15?

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Sat Jun 21, 2008 2:56 pm

Hi there,

No, the stable is only compatible up to version 1.0.13 - and always was only compatible to that. I'm afraid you have to use the development version for anything later.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)

tenaj
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Sun Mar 18, 2007 9:42 pm
Location: NC
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by tenaj » Tue Nov 11, 2008 9:34 pm

I just heard about this security alert. All of a sudden my AEC stopped working and I get 404 errors. Any other software I can use.

User avatar
skOre
Joomla! Explorer
Joomla! Explorer
Posts: 474
Joined: Thu May 04, 2006 9:11 am
Location: Germany
Contact:

Re: Important Security Alert - AEC Subscription Extension

Post by skOre » Tue Nov 11, 2008 10:05 pm

Since the security error has been fixed I guess you could also go with updating?

Besides - stopping to work and punching out 404 errors is something that the AEC does not do very often (well, actually not at all). You might want to contact our support on that.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Locked

Return to “3rd Party/Non Joomla! Security Issues”