|
By michael_s at 9 Nov 2009 - 7:02pm
|
A serious security vulnerability has been discovered in osCMax v2.0.3
and all prior versions. It is important that you follow the below
instructions carefully to secure your site. Failure to do so could
result in your site being breached by attack.
The following files must be removed from your site's administrative panel folder:
/admin/file_manager.php
/admin/define_language.php
Removing these files will close this vulnerability.
osCMax
v2.0.4 has been posted to osCMax.com and the vulnerability has been
patched. The security fix has also been added in SVN. It is recommended
that all osCMax site owners remove these files immediately.
|
| |
Do we just need to remove those 2 files or do we have to install 2.04 as well? In the upgrade folder, I see 2 files - upgrade.php and sql file. Do we use this to upgrade from 2.03 to 2.04? It would be great if you can tell us how to update the site for newbies like me.
Thanks for the update.
Jay
Is this a temporary fix? Ie. Are we looking at replacing the file manager?
Define Languages - I never use anyway - but I do use the File Manager quite a lot! Especially when helping other people with their sites ... saves having to ask for FTP details which they never have ...
Since the File Manager is stand alone could we not rename it to a complete random name? Which coupled with the rename of the Admin folder make it reasonably secure again?
Do you have any more details of the security hole?
Regards,