The Joomla! Forum ™





Post new topic Reply to topic  [ 18 posts ] 
Author Message
PostPosted: Wed Jun 18, 2008 8:39 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Feb 22, 2007 9:19 pm
Posts: 1270
[mod note | astgeorge]
There has recently been discovered a security alert for the extension AEC (Account Expiration Control). The extension has temporarily been suspended from the JED (Joomla! Extensions Directory) and the developer has been contacted.

This exploit allows for an attacker to remotely execute arbitrary SQL commands via the usage parameter in the subscribe action. Doing this an attacker could potentially gain access to your SQL DB as well as inject code into your template index.php file. You can read more about this exploit at the National Vulnerability Database located here:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2632

ad also here:

http://xforce.iss.net/xforce/xfdb/42794

Further more there have been some nasty PERL scripts created to automate this exploit. I will not be posting the links to said automated scripts in this post with the fear they they might be used for harm rather then good. The recommendation is that if you are currently using this extension, discontinue use immediately until we have notice of a patch created by the extensions developer. To see if you have been exploited check your index.php file or view your source on your main page and look for any unwanted or on solicited code.

cheers

Aaron

_________________
Aaron St. George


Top
 Profile  
 
PostPosted: Thu Jun 19, 2008 1:41 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
After some back and forth (and a lot of me being boneheaded), I can confirm this. I also have a fix which I will release within 24 hours (as the next release candidate for the upcoming stable version). The release will be announced on the globalnerd.org forums. My apologies for the serious inconvenience caused.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Thu Jun 19, 2008 2:01 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Feb 22, 2007 9:19 pm
Posts: 1270
skOre,

No need to apologize what is important is that you are doing what needs to be done to fix it and having the composure to deal with the issue in a professional manner. I personally use your component with paid support on my production website. So after we found the vulnerability I was a tad bit disappointed however I am very excited to see you so proactive in pursuing a fix. Please let me know when you have something as I would like to implement it so that I can feel comfortable continuing to use your extension.

cheers

Aaron
[astgeorge]

_________________
Aaron St. George


Top
 Profile  
 
PostPosted: Thu Jun 19, 2008 9:09 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
PM sent.

I worked some more extra hours last night and have the problem fixed. This will indeed be released later today along with some more fixes and features.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 3:13 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 14026
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
skOre wrote:
. This will indeed be released later today along with some more fixes and features.
Any progress my friend?

Leo

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 3:29 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 3:39 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 14026
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
No issue on delay,

Glad to see that you are so committed and acting fast.

Gudo's for that!

Leo 8)

note: my msg on your forum stand though

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 4:42 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 20, 2008 4:23 pm
Posts: 4
skOre wrote:
Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.


Thanks skOre for your immediate response!! I am looking forward to that release, hopefully today... :)


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 4:49 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 20, 2008 4:23 pm
Posts: 4
skOre wrote:
Yes, I'm pretty much done, just doing the regular last tests - a strange bug has suddenly started to show up (with the hacks) and I have yet to confirm that its not related to the AEC itself (since it stems from code that is three months old). After that, its immediate go. My apologies for the delay.


scOre, could you please start a new pinned thread on your forum with the release of the new version? That would make it easier for everyone to see...

Thank you again!!


Top
 Profile  
 
PostPosted: Fri Jun 20, 2008 5:08 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
Will do.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 12:29 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
It did took me a bit longer, but here is the release announcement for an updated version:

Globalnerd.org Development Forums (free registration required)

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 12:43 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 20, 2008 4:23 pm
Posts: 4
Thank you skOre!! AEC is great, but the support you provide is what is all about!!
Cheers, friend... :D


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 7:29 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
Well, after such a thing happened, I take that with a grain of salt, but thanks for the heads up!

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 9:23 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 2:38 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 20, 2008 4:23 pm
Posts: 4
skOre wrote:
I've just uploaded an updated stable release for anybody who doesn't want to go dev version, yet also needs the security fix.


Hi skOre, Is this updated stable version fully compatible with Joomla 1.0.15?


Top
 Profile  
 
PostPosted: Sat Jun 21, 2008 2:56 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
Hi there,

No, the stable is only compatible up to version 1.0.13 - and always was only compatible to that. I'm afraid you have to use the development version for anything later.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
PostPosted: Tue Nov 11, 2008 9:34 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Mar 18, 2007 9:42 pm
Posts: 48
Location: NC
I just heard about this security alert. All of a sudden my AEC stopped working and I get 404 errors. Any other software I can use.


Top
 Profile  
 
PostPosted: Tue Nov 11, 2008 10:05 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu May 04, 2006 9:11 am
Posts: 479
Location: Germany
Since the security error has been fixed I guess you could also go with updating?

Besides - stopping to work and punching out 404 errors is something that the AEC does not do very often (well, actually not at all). You might want to contact our support on that.

_________________
Developer of the AEC Membership Management Component: http://valanx.org
Fellow of the Free Software Foundation Europe (and so can you: http://www.fsfe.org !)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 



Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group