Urgent security warning! READ THIS!

[Stefan]

There have been attacks on WebsiteBaker sites (including my own) in the last days.

To close the vulnerability, immediately replace the file framework/class.login.php by the following (remove the appended '.txt' before uploading):

Version 2.5.2

Version 2.6.0

Also, check if any files have been created in your account that you haven't uploaded / created yourself. If so delete them, or have them deleted by your service provider.

An official patch will be released soon.

[Argos]

Also, check if any files have been created in your account that you haven't uploaded / created yourself. If so delete them, or have them deleted by your service provider.

Look particularly in the Media folder! Delete any non-mediatype files found there. If you have been hacked, you may find for example these files in the Media folder:

cmd.php
suntzu.php
upload.php
index.phprn
some other .php and/or .pl files

Thanks Stefan!

[Ryan]

Please note: this is only an issue on servers where the php magic_quotes_gpc setting is set to off.
I will now make this a top priority to have 2.6.1 released within 2 days, for an official patched version.

[Stefan]

Ryan, please release official patches for 2.5.2 and 2.6.0 immediately and announce them on the main site.

[Argos]

Hm... after patching my 2.5.2 sites, I get a completely blank screen after logging in. Only after going back in my browser and doing a refresh, I get access to the admin.

The 2.6 version is okay.

[Ryan]

Sorry Stefan, I am just about to go to bed - in fact, if I did not decide to check the forum, I would be sleeping right now.
I will do it first thing tomorrow morning. Sorry guys.
In the mean time, we really needa get the SVN repo fixed before we can touch it (I dont want to do any commits until we do the branch - I will send a quick email now.

[Hans]

I have several WB sites with versions earlier than 2.5.2. (2.5.1, 2.3.1 amongst others). Does this vulnerablitiy threaten those sites too? I changed some things in those scripts so that it is not possible to upgrade. If this affects < 2.5.2 sites, can I use the patch for 2.5.2 or could somebody write a patch for those earlier versions?
Thanks!
Hans

[mroony]

So far I have applied the patches to 4 sites... 2 are 2.5.2 and 2 are 2.6.  Good on all fronts.  Thank you for the swift response.

[Stefan]

All versions of WebsiteBaker are affected as far as I know.
Best is to upgrade to 2.5.2 and apply the patch.

[Argos]

Am I the only one with the blank screen problem? Does any of the coders know what to do about it?

[i2Paq]

Also, check if any files have been created in your account that you haven't uploaded / created yourself. If so delete them, or have them deleted by your service provider.

Look particularly in the Media folder! Delete any non-mediatype files found there. If you have been hacked, you may find for example these files in the Media folder:

cmd.php
suntzu.php
upload.php
index.phprn
some other .php and/or .pl files

Thanks Stefan!

Checked all my sites, 1 had this file in the \media; tpl.gif.php

It points to http://ccteam.ru/releases/c99shell

c99shell.php v.1.0 pre-release build #16
*                     Freeware license.
*                        © CCTeaM.

If you want I can send the file

The funny thing is that this site is hosted on a server with PHP-safe-mode = on

[Ryan]

Ok, the trunk has been patched. I am not sure what to do next - release 2.6.1?

[Ryan]

Ok, 2.6.1 is out with a notice about why (the security vuln). Is this enough, or do we need more?

[i2Paq]

Could someone explain to my what they would gain from hacking a WB site other then destroying someones hard work?

[kibmcz]

Could someone explain to my what they would gain from hacking a WB site other then destroying someones hard work?

some people get a kick out of defacing websites

[Woudloper]

Could someone explain to my what they would gain from hacking a WB site other then destroying someones hard work?

Mostly it are scriptkiddies doing these thing. The like it to screw up other peoples work...

[Stefan]

@Ryan
A patch for 2.5.2 should be officially released too.
And it would be good to send an announcement message to all community members.

[Olli]

thanks for the fix so far!

[zaggi]

I was so much hacket... They puttet up shells and all on my server.. Crap! ... :/
But looks like they didnt do anything els than that.. Thx god..

But it really sucks anyway...

[teressa]

I didn't get hacked, but my generic.php tells me

magic_quotes_gpc   On   On
magic_quotes_runtim e   Off   Off
magic_quotes_sybase   Off   Off


but I don't use front-end login, don't know if that makes a difference. Anyway, I patched all my 2.5.2 sites, (don't have any 2.6 sites) They look fine. Ryan you should send out an email to everyone.

[SuE]

the vulnerability is also reported at secunia : http://secunia.com/advisories/17945/
with no solution there which may encourage another hackers   
the message to all users may help

[jschor]

I replaced the class.login.php in one of my 2.5.2 installations. When see the login page but when i give username and password i get the following error
Warning: Cannot modify header information - headers already sent by (output started at /usr/home/rpl/domains/rpl.nl/public_html/wb/framework/class.login.php:361) in /usr/home/rpl/domains/rpl.nl/public_html/wb/framework/class.login.php on line 134

When i then remove /login/index.php and enter again i do come in the admin area (start/index.php).
Before i replace the file in all my installations maybe someone can help me with this.

Update: This seems to be solved with the new fix.

[Ryan]

Hi guys,

Check your inboxes - I just sent out a forum-wide email, with links to the official patches.
Sorry I took so long - I've been extremely busy getting better and then working on my dads new offices, which will be supplying OSB with the AGM board room (more on that to come).

[rabsaul]

Pardon me for my ignorance, but how can one tell if the server has magic_quotes_gpc set to off?

Thx! 

[Axel Krüger]

<?
echo phpinfo();
?>