WARNING - Fleixcontent contains serious security issue

More
14 years 2 months ago #11073 by cden
We have recently had the same warning as mentioned previously on this forum regarding the included phpthumb which is part of the flexicontent installation.

Our hosting provider, has referred us to the National Vulnerability Database which points out that the version of phpthumb being used by Flexicontent has a severe vulnerabilty (as our website was hacked through that).

Therefore, it is critical that this is no longer used with flexicontent until a fix has been provided.

I advise people to not download flexicontent until this has been resolved.

See this advisory:-
web.nvd.nist.gov/view/vuln/detai ... -2010-1598

Please Log in or Create an account to join the conversation.

More
14 years 2 months ago #11074 by micker
hello thaks for your return but ... it's a phptumbs probleme it si to hard to say

cden wrote: I advise people to not download flexicontent until this has been resolved.

but we try to change phptumb version
regards

FLEXIcontent is Free but involves a very big effort on our part.
Like the our support? (for a bug-free FC, despite being huge extension) Like the features? Like the ongoing development and future commitment to FLEXIcontent?
-- Add your voice to the FLEXIcontent JED listing reviews. Thanks![/size]

Please Log in or Create an account to join the conversation.

More
14 years 2 months ago #11079 by cden
sure, i understand this is a phpthumb problem - apparantly this issue is easy to solve by removing the fltr[] scripts. However, as I do not code php it is a little bit out of my realm.

However also, as this is bundled with Flexicontent, i would still recommend that people do not install any joomla extension that contains vulnerabilities and that Flexicontent may need to be added to the VEL (joomla Vulnerable Extensions List) which I'm sure Brian Teeman would quickly be doing if he discovered this!

Please Log in or Create an account to join the conversation.

More
14 years 2 months ago #11084 by effrit
cden, thanks for posting.
but solution "do not install flexicontent" becose of this is too rushed.
for example, on my site this library worked only for creat thumbs when tags navigation used - i am didnt use built-in image field.
so... i just remoove this library from hosting and my site still works :)

Please Log in or Create an account to join the conversation.

More
14 years 2 months ago #11089 by veeco
it is better to find solution rather than throw away the component... anybody got solution for this ?

Please Log in or Create an account to join the conversation.

More
14 years 2 months ago #11092 by kenmcd

cden wrote: . . Flexicontent may need to be added to the VEL (Joomla Vulnerable Extensions List) which I'm sure Brian Teeman would quickly be doing if he discovered this!

FLEXIcontent 1.5.3c also includes chmod 777.
That would be sure to raise Brian's ire. ;)
I manually change this chmod code before installing on a public website.


Has anyone seen a code fix for this?
There is nothing on the phpThumbs website.

Awhile back I did make my own phpThumbs 1.7.10 - updated for PHP 5.3.
Found that fix somewhere . . .


EDIT, found a security fix here:
modxcms.com/forums/index.php/topic,54874...16279.html#msg316279
The downside is it is different for Linux and Windows servers.

If anyone finds a better/different fix, please post.

.

Please Log in or Create an account to join the conversation.

Moderators: vistamediajoomlacornerggppdk
Time to create page: 0.466 seconds
Save
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Essential
These cookies are needed to make the website work correctly. You can not disable them.
Display
Accept
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline