CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Security and 4.2.7
Pages: [1]

Author Topic: Security and 4.2.7  (Read 613 times)

EdP

  • I post frequently
  • ***
  • Posts: 260
  • Karma: 7
  • CiviCRM version: 4.4
  • CMS version: Joomla 2.5.x
Security and 4.2.7
January 05, 2013, 11:53:25 am
Hi, I got hacked yesterday despite running 4.2.7 - although this fix has been applied: http://issues.civicrm.org/jira/browse/CRM-11330

it looks as if the upgrade process did not delete the affected library so I was still vulnerable. My webhost picked it up and hopefully all is now well as I have deleted it manually. However, just thought it was worth reporting.

Ed

Edit: Perhaps I have misunderstood this as the library still seems to be in the 4.2.7 package?
« Last Edit: January 05, 2013, 12:59:31 pm by EdP »

Hershel

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4640
  • Karma: 176
    • CiviHosting
  • CiviCRM version: Latest
  • CMS version: Mostly WordPress and Drupal
Re: Security and 4.2.7
January 05, 2013, 04:23:09 pm
Hi. We did have two cases of hacks with sites we host, regarding this issue. The security issue not the entire package actually. The issue is just the file ofc_upload_image.php and that file is indeed not in 4.2.7 and so the issue was closed.
CiviHosting and CiviOnline -- The CiviCRM hosting experts, since 2007

See here for the official: What to do if you think you've found a bug.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Security and 4.2.7
January 06, 2013, 09:13:14 am

Note that the upgrade does not delete any code files

the upgrade instructions clearly state to:

1. move the old code to a different location outside the cms
2. use the new code

if u still have that file, it most likley means u r replacing the directory rather than following the instructions :)

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM (Moderator: Dave Greenberg) »
  • Security and 4.2.7

This forum was archived on 2017-11-26.