Posts: 1,848
Threads: 86
Joined: Aug 2009
Until we have this fixed with the 3.0 release, please delete /admin/upload-ajax.php from any and all of your installations of GetSimple.
Some hacksters found a way to upload a file without being logged in - not sure how yet, but right now, this is the best way to avoid being hacked.
Sorry about this, but some people have to try and ruin it for everyone... More to come shortly...
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 105
Threads: 10
Joined: Dec 2009
just delete this file ?
no problem with GS after this ?
Posts: 1,848
Threads: 86
Joined: Aug 2009
yep - as far as I know right now
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 1,848
Threads: 86
Joined: Aug 2009
http://code.google.com/p/get-simple-cms/..._svn204_34
instead of deleting upload-ajax.php you can also make the change above to your cookie_functions.php file.
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 196
Threads: 16
Joined: Mar 2010
Chris is this notice just for 2.03 or also anything below 2.03?
Posts: 1,848
Threads: 86
Joined: Aug 2009
2.03, but anything below could be effected too.
But to be honest, with almost every release of GS, we've fixed some type of vulnerability... so 2.01 was already insecure to a point.
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 290
Threads: 26
Joined: Oct 2010
ccagle8 Wrote:http://code.google.com/p/get-simple-cms/..._svn204_34
instead of deleting upload-ajax.php you can also make the change above to your cookie_functions.php file.
Replacing the function using the SVN code:
Code: function kill_cookie($identifier) {
global $SALT;
$saltCOOKIE = sha1($identifier.$SALT);
if (isset($_COOKIE[$saltCOOKIE])) {
if ( defined('GSCOOKIEISSITEWIDE') && (GSCOOKIEISSITEWIDE == TRUE) ) {
$_COOKIE[$saltCOOKIE] = FALSE;
setcookie($saltCOOKIE, FALSE, time() - 3600,'/');
} else {
$_COOKIE[$saltCOOKIE] = FALSE;
setcookie($saltCOOKIE, FALSE, time() - 3600);
}
}
}
gives me:
Quote:Parse error: syntax error, unexpected T_IF in /home/cartocop/testbed/admin/inc/cookie_functions.php on line 41
Line 41 is the "if defined" line.
Any other suggestions?
-Rob A>
Posts: 1,848
Threads: 86
Joined: Aug 2009
I just fixed gs.info and i am not getting that error... can you verify you copied the right code (w/o line numbers etc.)?
http://get-simple-cms.googlecode.com/svn...ctions.php
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 290
Threads: 26
Joined: Oct 2010
2011-02-16, 08:45:31
(This post was last modified: 2011-02-16, 08:46:14 by Chastin3.)
ccagle8 Wrote:I just fixed gs.info and i am not getting that error... can you verify you copied the right code (w/o line numbers etc.)?
http://get-simple-cms.googlecode.com/svn...ctions.php
Thanks for the direct link. I got it from here initially:
http://code.google.com/p/get-simple-cms/...php?edit=1
I'm guessing copying from there introduced some non-printing characters.
Posts: 149
Threads: 12
Joined: Dec 2009
thx !
is this vulnerability present in 2.04 beta too?
and, by the way, why don't you setup a security announce mailing list ?
Posts: 75
Threads: 9
Joined: Mar 2010
Will there be 2.03 security release?
Posts: 1,848
Threads: 86
Joined: Aug 2009
The current svn is fixed. I will release 2.03.1 early today as a quick security release. I will also cut a new beta release that takes into effect the latest svn fix as well.
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 1,848
Threads: 86
Joined: Aug 2009
The downloads have been udpated, and the new stable version is 2.03.1. If you don't feel like upgrading, you can just make the change mentioned here.
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 1,204
Threads: 30
Joined: Jun 2010
marrco Wrote:thx !
is this vulnerability present in 2.04 beta too?
and, by the way, why don't you setup a security announce mailing list ?
I see that 2.04b contains fixed kill cookie function, so no worries.
Addons: blue business theme, Online Visitors, Notepad
Posts: 1,848
Threads: 86
Joined: Aug 2009
well, 2.04B became 3.0 after we decided that there were just too many updates in it to make it a minor release. So to be honest, 2.04 was always BETA, and will never be a real release.
3.0 should be fixed now... as well as the 2.03.1 patch release that was just sent out
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 7
Threads: 4
Joined: Nov 2009
If I simply delete /admin/upload-ajax.php then the upload-functionality won't work anymore, right?
Posts: 1,848
Threads: 86
Joined: Aug 2009
yes, thats the only part of the installation that wouldnt work. You can also make this change in lieu of deleting that file...
- Chris
Thanks for using GetSimple! - Download
Please do not email me directly for help regarding GetSimple. Please post all your questions/problems in the forum!
Posts: 7
Threads: 2
Joined: Jan 2011
Is there a way to subscribe to such emergency situations? Email or RSS...
It should prevent mass site hacking in future 
I had to remove "Powered by GetSimple" due to this issue - to prevent the google-hackers from finding my site in such occasions.
The drawback is if the vulnerability is "private", then, by publishing security fix, it will become public.
|
Download
