Page 2 of 4 First 1234 LastLast
Results 11 to 20 of 36

Thread: Security Notice : osCMax 2.0.4 Released

  1. #11
    osCMax Development Team

    Security Notice : osCMax 2.0.4 Released

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,124
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    96


    Post Re: Security Notice : osCMax 2.0.4 Released

    Welcome to the party Nimitz (a frequent/respected member of the CRE community).
    There is a 'developers' forum here. Perhaps Michael will shed some light on it.

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  2. #12
    Active Member MindTwist's Avatar
    Join Date
    Jun 2007
    Location
    Barcelona, Spain
    Posts
    409
    Total Contributions For

    MindTwist     $ 0.00
    Rep Power
    15


    Default Re: Security Notice : osCMax 2.0.4 Released

    I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?

  3. #13
    osCMax Development Team

    Security Notice : osCMax 2.0.4 Released

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,124
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    96


    Thumbs up Re: Security Notice : osCMax 2.0.4 Released

    Quote Originally Posted by MindTwist View Post
    I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?
    TBH, It's the very 1st thing that occurred to me but I guess not everyone implements directory protection, so at least the vulnerability is gone 'out-of-the-box'.



    [Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ]

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  4. #14
    Active Member MindTwist's Avatar
    Join Date
    Jun 2007
    Location
    Barcelona, Spain
    Posts
    409
    Total Contributions For

    MindTwist     $ 0.00
    Rep Power
    15


    Default Re: Security Notice : osCMax 2.0.4 Released

    Quote Originally Posted by ridexbuilder View Post
    [Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ]
    That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.

  5. #15
    osCMax Developer


    Security Notice : osCMax 2.0.4 Released

    michael_s's Avatar
    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,011
    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    594


    Default Re: Security Notice : osCMax 2.0.4 Released

    Because of how many unsecured sites are out there, and the large amount of people that run stores without updating, I am not going to publicly discuss the specifics of the vulnerability.

    It is not a new issue, and the hole that allows access to the file manager was closed in v2.0.3, so osCMax v2.0.3 and v2.1 were already patched against the known problem that allowed unprivileged access to the file manager.

    The reason for this update is the file manager itself, and that is about all I am going to say about it. When it is fixed, it will be returned to the package. In its present form, it is simply too risky to have it present. Additional measures must be added to the file itself to keep it from being so easily misused.


    Quote Originally Posted by MindTwist View Post
    That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.
    This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.
    Michael Sasek

    osCmax 2.5.4 is now available via auto-installation using Softaculous!

    Stay Up To Date with everything osCMax:
    osCmax on Twitter - Up to the minute info as it happens. Know it first.

    osCmax Documentation

  6. #16
    Active Member MindTwist's Avatar
    Join Date
    Jun 2007
    Location
    Barcelona, Spain
    Posts
    409
    Total Contributions For

    MindTwist     $ 0.00
    Rep Power
    15


    Default Re: Security Notice : osCMax 2.0.4 Released

    Quote Originally Posted by michael_s View Post
    This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.
    Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

    Thanks Michael!

  7. #17
    Nimitz_1061
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    Quote Originally Posted by MindTwist View Post
    Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

    Thanks Michael!
    Not necessarily.

    The security provided by the htpasswd system may or may not be transmitted securely. The most common implementations are generally NOT secure in transmission. That the password is exchanged in the clear compounds the issue. Basically, htpasswd usage is a thin reed on which to base your security, particularly when you rely on the control panel for implementation.


    David

  8. #18
    Cameron
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    You need to add something so the top of my osCMax can say v2.0.4 instead of this lousy v2.0.3

  9. #19
    GraGra
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    It may be related to this or something else, but my OscMax web site has been sending spam to customers from the on line database for the last 2 days.
    I have fixed this bug, and removed some suspicious files, changed the ftp and database password for the web site, but the spam is still coming. What should I do next? I can post the code from the suspicious files if this helps.

  10. #20
    osCMax Development Team

    Security Notice : osCMax 2.0.4 Released

    pgmarshall's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    3,517
    Total Contributions For

    pgmarshall     $ 35.00
    Rep Power
    77


    Smile Re: Security Notice : osCMax 2.0.4 Released

    If your site is sending usolicited emails then you have been hacked.

    Please read the Wiki on what to do next.

    Regards,
    pgmarshall
    _______________________________

Page 2 of 4 First 1234 LastLast

Similar Threads

  1. osCMax v2.0.3 Security Update Released
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 07-01-2009, 10:14 AM
  2. osCMax v2.0.0 Released
    By michael_s in forum Announcement Discussions
    Replies: 2
    Last Post: 03-28-2009, 01:31 PM
  3. osCMax 2.0 RC4 Released
    By michael_s in forum Announcements
    Replies: 2
    Last Post: 03-15-2009, 03:12 PM
  4. osCMax v2.0 RC2 Released
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 09-21-2005, 03:43 PM
  5. osCMax v2.0 RC1 Released!
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 06-14-2005, 01:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •