Important Security Alert - AEC Subscription Extension
Moderator: General Support Moderators
Forum rules
- astgeorge
- Joomla! Ace
- Posts: 1270
- Joined: Thu Feb 22, 2007 9:19 pm
- Contact:
Important Security Alert - AEC Subscription Extension
[mod note | astgeorge]
There has recently been discovered a security alert for the extension AEC (Account Expiration Control). The extension has temporarily been suspended from the JED (Joomla! Extensions Directory) and the developer has been contacted.
This exploit allows for an attacker to remotely execute arbitrary SQL commands via the usage parameter in the subscribe action. Doing this an attacker could potentially gain access to your SQL DB as well as inject code into your template index.php file. You can read more about this exploit at the National Vulnerability Database located here:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2632
ad also here:
http://xforce.iss.net/xforce/xfdb/42794
Further more there have been some nasty PERL scripts created to automate this exploit. I will not be posting the links to said automated scripts in this post with the fear they they might be used for harm rather then good. The recommendation is that if you are currently using this extension, discontinue use immediately until we have notice of a patch created by the extensions developer. To see if you have been exploited check your index.php file or view your source on your main page and look for any unwanted or on solicited code.
cheers
Aaron
There has recently been discovered a security alert for the extension AEC (Account Expiration Control). The extension has temporarily been suspended from the JED (Joomla! Extensions Directory) and the developer has been contacted.
This exploit allows for an attacker to remotely execute arbitrary SQL commands via the usage parameter in the subscribe action. Doing this an attacker could potentially gain access to your SQL DB as well as inject code into your template index.php file. You can read more about this exploit at the National Vulnerability Database located here:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2632
ad also here:
http://xforce.iss.net/xforce/xfdb/42794
Further more there have been some nasty PERL scripts created to automate this exploit. I will not be posting the links to said automated scripts in this post with the fear they they might be used for harm rather then good. The recommendation is that if you are currently using this extension, discontinue use immediately until we have notice of a patch created by the extensions developer. To see if you have been exploited check your index.php file or view your source on your main page and look for any unwanted or on solicited code.
cheers
Aaron
Aaron St. George
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
After some back and forth (and a lot of me being boneheaded), I can confirm this. I also have a fix which I will release within 24 hours (as the next release candidate for the upcoming stable version). The release will be announced on the globalnerd.org forums. My apologies for the serious inconvenience caused.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
- astgeorge
- Joomla! Ace
- Posts: 1270
- Joined: Thu Feb 22, 2007 9:19 pm
- Contact:
Re: Important Security Alert - AEC Subscription Extension
skOre,
No need to apologize what is important is that you are doing what needs to be done to fix it and having the composure to deal with the issue in a professional manner. I personally use your component with paid support on my production website. So after we found the vulnerability I was a tad bit disappointed however I am very excited to see you so proactive in pursuing a fix. Please let me know when you have something as I would like to implement it so that I can feel comfortable continuing to use your extension.
cheers
Aaron
[astgeorge]
No need to apologize what is important is that you are doing what needs to be done to fix it and having the composure to deal with the issue in a professional manner. I personally use your component with paid support on my production website. So after we found the vulnerability I was a tad bit disappointed however I am very excited to see you so proactive in pursuing a fix. Please let me know when you have something as I would like to implement it so that I can feel comfortable continuing to use your extension.
cheers
Aaron
[astgeorge]
Aaron St. George
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
PM sent.
I worked some more extra hours last night and have the problem fixed. This will indeed be released later today along with some more fixes and features.
I worked some more extra hours last night and have the problem fixed. This will indeed be released later today along with some more fixes and features.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Any progress my friend?skOre wrote:. This will indeed be released later today along with some more fixes and features.
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Important Security Alert - AEC Subscription Extension
No issue on delay,
Glad to see that you are so committed and acting fast.
Gudo's for that!
Leo
note: my msg on your forum stand though
Glad to see that you are so committed and acting fast.
Gudo's for that!
Leo
note: my msg on your forum stand though
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jun 20, 2008 4:23 pm
Re: Important Security Alert - AEC Subscription Extension
Thanks skOre for your immediate response!! I am looking forward to that release, hopefully today...skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jun 20, 2008 4:23 pm
Re: Important Security Alert - AEC Subscription Extension
scOre, could you please start a new pinned thread on your forum with the release of the new version? That would make it easier for everyone to see...skOre wrote:Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.
Thank you again!!
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Will do.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
It did took me a bit longer, but here is the release announcement for an updated version:
Globalnerd.org Development Forums (free registration required)
Globalnerd.org Development Forums (free registration required)
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jun 20, 2008 4:23 pm
Re: Important Security Alert - AEC Subscription Extension
Thank you skOre!! AEC is great, but the support you provide is what is all about!!
Cheers, friend...
Cheers, friend...
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Well, after such a thing happened, I take that with a grain of salt, but thanks for the heads up!
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
-
- Joomla! Fledgling
- Posts: 4
- Joined: Fri Jun 20, 2008 4:23 pm
Re: Important Security Alert - AEC Subscription Extension
Hi skOre, Is this updated stable version fully compatible with Joomla 1.0.15?skOre wrote:I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Hi there,
No, the stable is only compatible up to version 1.0.13 - and always was only compatible to that. I'm afraid you have to use the development version for anything later.
No, the stable is only compatible up to version 1.0.13 - and always was only compatible to that. I'm afraid you have to use the development version for anything later.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
-
- Joomla! Apprentice
- Posts: 48
- Joined: Sun Mar 18, 2007 9:42 pm
- Location: NC
- Contact:
Re: Important Security Alert - AEC Subscription Extension
I just heard about this security alert. All of a sudden my AEC stopped working and I get 404 errors. Any other software I can use.
- skOre
- Joomla! Explorer
- Posts: 474
- Joined: Thu May 04, 2006 9:11 am
- Location: Germany
- Contact:
Re: Important Security Alert - AEC Subscription Extension
Since the security error has been fixed I guess you could also go with updating?
Besides - stopping to work and punching out 404 errors is something that the AEC does not do very often (well, actually not at all). You might want to contact our support on that.
Besides - stopping to work and punching out 404 errors is something that the AEC does not do very often (well, actually not at all). You might want to contact our support on that.
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)