New update - Potential security vulnerability addressed

by **davidgwalker** » Fri Aug 04, 2006 2:38 pm

Hi Everyone,

I have released an update (yes the second in as many days), it contains changes to the functions.php file you MUST use.

Download the upgrade now:
http://www.dwalker.co.uk/phpautomembersarea/
Should take only a couple of minutes to apply

This release addresses a security vulnerability as highlighted
by Philipp Niedziela ( http://www.bb-pcsecurity.de ).

The fix is simple, just download the Upgrade above and add the new functions.php file to your server.

This update must be applied to ALL phpAutoMembersArea versions prior to 3.2.5.

When you have upgraded successfully you should be able to login to your admin area and see the new version displayed:
Functions.php: 3.2.5. The version for phpAMA maybe shown as an earlier version but this is not an issue, so long as Functions.php shows version 3.2.5

Ioncube help:
There is a new page for help on installing/setting up the ioncube loaders if anyone needs assistance:
http://www.dwalker.co.uk/phpautomembersarea/ioncube.php

Any issues please post here...

Thanks for reading and update as soon as possible

Dave.

Note - if you are an unregistered user and wish to post a possible bug then you can without logging in here:
http://dwalker.co.uk/forum/viewtopic.php?t=393

by **marcus - streamcast.com.** » Mon Aug 07, 2006 4:08 am

Dave,

Apologies if this is a stupid question.

To perform the update do we download phpAMA3.2.5.zip (209kB) version and replace the existing functions.php with new one?

Cheers

Marcus

by **davidgwalker** » Mon Aug 07, 2006 6:35 am

Hi Marcus,

If you look here you will find there are several links to upgrade zip files beneath the link to phpAMA3.2.5.zip link:
http://www.dwalker.co.uk/phpautomembersarea/

First you need to check which version you are using: login to your admin area and there you will find the version shown (bottom right).

If say you are currently on version 3.2.2, you need to download and install in sequence:

"from version 3.2.2 to 3.2.3"
"from version 3.2.3 to 3.2.4"
"from version 3.2.4 to 3.2.5"

This must be done NOW - else your site risks being compromised, if you do not have time to apply all the upgrades then you can just apply the newest one now:
"from version 3.2.4 to 3.2.5"
(this removes the potential security vulnerability, and can be applied in just a few minutes)

Hope that helps.

Dave.

ps. the questions that are not aksed are the stupid questions...!

by **davidgwalker** » Tue Aug 08, 2006 3:26 pm

PLEASE NOTE:

Most often the code kiddies and hackers will find your phpAMA members area via google by doing a inurl search.

Read more here:
http://dwalker.co.uk/forum/viewtopic.php?t=520

by **davidgwalker** » Wed Aug 09, 2006 6:52 am

There are still many sites that have not upgraded!

I have even tried to send direct emails to inform many of this fact, yet they ignore me, such as:
https://kym.xlinternet.com.sg/system/members/join.php
[not a registered user, but I sent a notice directly as they are a heavy user that hack my script...]

Please upgrade now or you risk being hacked.

Dave.

by **support - traders-guild.** » Wed Aug 09, 2006 7:53 pm

Thanks for the notification of the update Dave, always reassuring to know that it's being kept on top of

Will have mine updated when I'm back from the kids break in a couple of days.

Cheers.

by **lfhost** » Thu Aug 10, 2006 9:40 am

Got mine all updated without issues.

Cheers for updating promptly.

by **support - traders-guild.** » Thu Aug 10, 2006 2:13 pm

Yep, mine now updated without any issues.

Thanks again Dave.

New update - Potential security vulnerability addressed

New update - Potential security vulnerability addressed

Who is online