Security Fix for 2.5

posted on: 27.04.2009

News: BUG

Thanks for the BIGACE user merpil and gernot, a dangerous SQL injection was found and could already be fixed today. Please download and install the patch matching to your system, to make sure your authentication system is not vulnerable against this Zero-Day-Exploit.

This bug was not published anywhere else before, so you should be safe if you install the patch right away.

Patch Download

Please download the patch for your system:

Install Patch

Open your BIGACE administration and go to Extensions / Administration.

Select the downloaded file from your computer and upload it to BIGACE. Make sure the Checkbox "Upload & Install" is checked:

Click upload and after the patch was automatically installed, your system is safe. If you cannot use the remote installer, read the wiki page about FTP updates.

Background

This bug was existing since 2.4. In BIGACE 2.4 it was only useable with PHP systems turned "magic_quotes_gpc = Off" which instead in most systems is turned "On". With code changes for BIGACE 2.5, which were necessary for compatibility issues with the upcoming PHP 6, the bug became widly useable, so even systems with deactivated magic_quotes were attackable.

The only requirement was to know the username of an account with enough permissions, so all systems using the default username "admin" were in high danger.

Credits

Big thanks to merpil. He worked together with me, gave me insides of his website, logfiles and time to find out whats going on while his website was defaced twice.

@Defacement crew who originally found that bug: Sorry, not a Zero-Day-Exploit anymore. I would haven given you the credibility and probably even a backlink if you came to me in first place, but using your knowledge to destroy other peoples work is just a stupid behaviour... 

The initial discussion thread can be found in the BIGACE forum (only in German).

Add a comment

 
 
Fork me on GitHub