security exploit

Yesterday, PHP-Fusion announced that someone had hacked into their site and changed the download link for PHP-Fusion Version 7.

Hello all,

We had an issue a few days ago where a malicious person gained access to our site as a super administrator via a weak account/gained password. They apparently changed the download link of PHP-Fusion version 7 to spendspace and it was packaged as a .rar file.

If you downloaded one of these files, please reinstall your entire site using a fresh copy from SourceForge.

While this isn't a good thing, it is a positive that PHP-Fusion disclosed the possibility that the link led to a version of PHP-Fusion that may have been maliciously changed.  I can recall a number of other projects (open source and propriety) that have found their source code made vulnerable by someone intruding into their servers.  What is always important to customers in these cases is disclosure and transparency.  So far, PHP-Fusion seems to be doing the right thing.

However, as of this Thursday morning...it looks like PHP-Fusion's hosting company has suspended their account. At the time of this writing, there is no words given as to the reasons for the suspension.  I suspect the suspension is likely to be security related.  Perhaps, we'll see an announcement at SourceForge on the status of PHP-Fusion if their home site doesn't come back online soon.

A couple months ago, Technorati announced that users of Wordpress needed to upgrade to the latest available version (now at Version 2.5). This week, Technorati announced that blogs remaining vulnerable to identified security exploits may no longer be indexed by their service.

Because of this ongoing problem, we're discontinuing processing crawls of blogs that exhibit common symptoms of being compromised. We strongly recommend upgrading your WordPress installation. Even if you haven't been afflicted by a compromise, by the time you are aware that you have been a number of negative consequences may have already occurred (for instance, flagged spam by Technorati, Google or Yahoo!) -- this has been reported by many WordPress users.

By not upgrading your software, the search engine services may block your site from being listed. I can't think of a greater incentive to update your content management software to the latest version than the threat of being delisted. This is a bold move by Technorati. I'm personally glad Technorati is taking a stand against sites hosting older versions of Wordpress with the known security holes. In my opinion, there really isn't a good reason you shouldn't be upgrading your Wordpress site to the latest version.

Serendipty 1.3 has been released. This new version of the blogging applications introduces 41 changes. Not only are enhancements and additional features introduced, but also changes to address a nasty cross site scripting issue (security exploit).

Some of the more significant features and enhancements for Serenditpity 1.3 include:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• Import scripts for phpNuke and lifetype.

Updated versions of MediaWiki to address some security issues has been released for MediaWiki 1.11.1, 1.10.3, and 1.9.5.

This is a security and bugfix release of the Fall, Spring, and Winter 2007 snapshot releases of MediaWiki. A potential XSS injection vector affecting api.php only for Microsoft Internet Explorer users has been closed.

To work around the vulnerability without upgrading, you may disable the API if you don't need it:

~ $wgEnableAPI = false;

Complete Story

Yes, Wordpress and XOOPS are two completely separate projects, but they do have at least one thing in common. Both Web applications were updated this past week to adddress known security vulnerabilties.