Announcements
Security Vulnerability (Backup Module in WB Core)
A security vulnerability in the backup module in WebsiteBaker Core CMS has been found.
Extended information: Everybody can use the backup module from anywhere and download the backup directly on every PC the "exploiter" likes without any noticing by you.
Affected systems
- WebsiteBaker version: 2.7, 2.8.0, 2.8.1 (until SVN revision number 1308).
- All installations with the installation of the Backup module are affected. The Backup module is part of WebsiteBaker Core and installed per default on all installations!
Vulnerability Impact
- An exploit was being published on "known exploit sites".
- With this exploit everybody can download the whole database, crack the password and overtake the WebsiteBaker installation.
Maximum Severity Rating
- Highest (for systems matching all of the conditions under the Affected Systems section).
- None (for all other systems, e.g. with deinstallated Backup module and version 2.6.7 and lower).
Instructions how to patch
- There is no supported patch available yet. Deinstall the backup module immediately.
- Please change all passwords in your WebsiteBaker installations that are affected. Also let all your users know.
Further Q&A
Q: How can I deinstall the backup module?
A: There are different ways - unfortunately it depends on your server configuration.
First way:
-
Remove modules/backup with your FTP-browser
-
Create a new section in "Pages" from type "Code" with visbility registered (to avoid regular users)
In the code section paste:
Code:$results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'"); -
Call the newly created page - this will start the php code wich will remove the backup entry in the addons list
-
Remove the page with the Code section
Second way:
Just deinstall the "backup" module in "Add-ons" -> "Modules" -> "deinstall module".
Q: Why is the backup module not being fixed?
A: The module is called deprecated from now on by the QA-Team. That has several reasons: It is not really useful to backup the complete WB-Installation as it has no possibility to upload easily the backup, and it has further bugs with modern databases.
Q: Will there be a new method of backup?
A: Perhaps in the future there will be - but that is not at all for sure. From SVN 1308 (2.8.1) on there won't be any official backup module available for WebsiteBaker until we let you know.
Q: How can I backup WebsiteBaker?
A: For sure your webhost has some database management system, e.g. PhpMyAdmin. Please use this system(s) to backup your database. Also make sure to backup all other FTP-data like /pages, /media, Modules & Templates and so on.
Acknowledgements
We want to thank pelotillehuito and FrankH for reporting the exploit and the QA-team for the quick & clear reaction.
Michael Tenschert (WebsiteBaker Homepage Team)
Comments
| Thanks for the heads up | By Guest on 02.04.2010 at 21:34 |
| It's great that this was identified and addressed quickly. Security vulnerability will continue to be everyone's biggest headache no matter what CMS we use. One of my big concerns about the restructuring within the WB development group is whether or not the new development team will be able to stay on top of security issues. This notice (and the follow-up fixed module released on April 2 at http://www.websitebakers.com/pages/admin/admin-tools/backup.php ) is a good sign. | |
| What a relief! | By Guest on 06.04.2010 at 05:02 |
| It's glad we have these guys who are concern to this project. | |
| By Guest on 06.04.2010 at 20:39 | |
| When I try to remove the backup module in the add-ons I get the message: Cant remove the module..:( HELP! | |
| Solved | By Guest on 06.04.2010 at 20:55 |
| No more help needed ;) Just removed it through FTP and that worked. | |
| Fix doesn't get applied | By Guest on 08.04.2010 at 05:36 |
| I installed the updated backup module over the existing module and got the message "Module Updated" but nothing had changed. The uninstall module option doesn't work for the backup module. It is pretty dumb that the password is stored in plain text in the database! |
|
| Password store | By Guest on 11.04.2010 at 10:45 |
| The password is not stored in plain text but in MD5 in the database. Just look at the SVN - a new solution will be available very soon, but it takes some time... | |
| Security announcements as RSS feed | By Guest on 14.04.2010 at 21:56 |
| Any chance we can get this news as an RSS feed or as an email? The only reason I found out about this when one of my client's sites got hacked - if I'd had forewarning I could have take preventive action. If you need somebody to write some RSS code to help let me know (website(dot)baker(at)websanity(dot)co(dot)uk) - I'd like to be signed up for news like this (unless I'm missing a feed elsewhere or something). Cheers, Gerald |
|
| Older Versions??? | By Guest on 23.04.2010 at 16:05 |
| I have been handed a couple of sites still running 2.6.4. Do they have the vulnerability as well? Thanks! | |
| CVE-2011-4322 | By Guest on 21.11.2011 at 21:11 |
| CVE-2011-4322 assigned for this issue. Best regards, Henri Salo |
|
Add Comment