Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: rogerd
...one of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users, as always, to upgrade to this release as soon as possible.
Download link here:
Note: it seems that the download isn't yet available from the mirrors, but it should be there soon.
After the rash of attacks and worms last time [webmasterworld.com], it is to update installations as soon as possible. Even if the potential exploit has not been made public, it won't take long for someone to reverse engineer the patch and work out where the bug is. I would put money on there being a new worm starting to attack boards within the week if the bug is harmful enough.
There goes another evening... Good luck! :)
This spate of security updates for major forum packages shows that it's a good thing to disguise your forum as much as possible. "Powered by", version info, etc., all make a forum an easier target. I'd never rely purely on "security by obscurity", but every little barrier helps.
"Powered by", version info, etc., all make a forum an easier target.
But would it really help for attackers who use automated programs to try to obtain unauthorised access to forum? They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.
They will just go for known filename, like: www.example.com/forum/memberlist.php, and it would not even matter if file is there in the first place -- they can just scan all sites.
Exploitation of this vulnerability allows remote attackers to view arbitrary system files under the privileges of the underlying web server. An attacker must have, or be able to create an account on the target system. Non-default settings must also be enabled for exploitation to be possible.
"Enable remote avatars" and "Enable avatar uploading" must be enabled for the target to be vulnerable.
It sounds as if most installations would be unaffected by this vulnerability. That doesn't mean that you don't need to update, but there is a lesser need for urgency than for the 2.0.11 release. A simple workaround is to simply disable remote avatars and avatar uploading.
I updated with the patch file last night with no particular problems: a few hunk failures where I'd previously made big changes, but it was easy enough to add the missing patches manually with the help of the .rej files. Things should go smoothly in most cases.
One thing that I like is having them send out notices about releases through their support forum. And it also tells you in the admin console with an easy link to update ;)