A route to use one of the 3 exploits we patched was found remaining in a handful of the sources/page_*.php files. We had fixed them to guard against exploits if correctly included from the main index.php. However not if included directly which left them open. The particular exploit allowed remote code to be executed on the server holding Moa but only if two out-dated options were turned on (against the defaults) or a very old version 4.x of PHP was in use. PHP 5.3+ has had the main offending option removed completely as it was a common security issue. Also a bug regarding a fresh install was found and corrected.


Many thanks to Sven over at secunia.com for pointing out these remaining holes.

 

The new downloads can be found on our Sourceforge page as usual, or direct links are here -

 

   

As before just upload over the top of 1.2.0 or 1.2.0a, no upgrade needed. If you have a previous version of Moa just upload and follow the update link at the top of the page. No new features are added from the default 1.2.0 install, this is purely a security release. Make sure you set permissions to allow the web server user to write to ./images and ./images/thumbs after you copy the new version or you may have problems uploading new pictures. The upgrade will check for this from version 1.2.1 onwards but is not present in 1.2.0.


A note for any future security issues. We do expect users to have a reasonably up to date server environment. Web hosts should have the dangerous options already turned off and be using a recent web server release. If you have your own server or VPN then it is pretty easy to upgrade and change the php.ini (the two options to turn off are register_globals and allow_url_include) to secure yourself.

If new Moa exploits are found that rely on known and fixable PHP/Apache flaws such as register_globals and a new Moa release is coming within a few weeks we will most likely wait and put the fixes directly into that instead rather than issue a patch.

If the next update is going to be a while or it is an issue that effects up-to-date servers then we will put out a patch ASAP like the current one.

Either way we will pass on information about possible exploits if and when we find out about them. Of course bugs in Moa will have a patch if needed.

 

If anyone finds any new problems, fell free to let us know via This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Comments
Add New Search
+/-
Write comment
Name:
Email:
 
Website:
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
 
:angry::0:confused::cheer:B):evil::silly::dry::lol::kiss::D:pinch:
:(:shock::X:side::):P:unsure::woohoo::huh::whistle:;):s
:!::?::idea::arrow:
 
Please input the anti-spam code that you can read in the image.

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."