[News]

News: 2.1.5 has been released.  Visit the portal or SourceForge page to download

[HCL Admin]

It appears that there maybe a security issue with certain administrative files on all recent versions of HCL.  We are aware of the issue, and are working to expedite a fix for these issues.  I should have at least a hotfix tonight, and a new version up in a few days with the security patch installed on the sourceforge page.

This issue is detailed here and may cause the admin to be locked out, or for your HCL install to be hacked.  Until the hotfix is released (in the next few hours) I recommend putting an .htaccess in your admin folder such as this:

Code: (.htaccess)

Order Deny, Allow
Deny from all
Allow from 000.000.000.000

Change the 000.000.000.000 to your IP address.  If you need multiple address' then separate each address with a space.
This is on necessary until the hotfix is released, again, this should be sometime this morning (Friday, August 17th)

Remember, if you hear of ANY security related issue with HCL, Please, please, please let us know.  These types of issues can cause serious repercussions for others. 

[HCL Admin]

Here is the hotfix file, which I shall be posting on the portal page in a few minutes, simply extract the auth.php file from the archive and replace the hcl/class/auth.php on your webserver.

NOTE:  This hotfix is untested at this time, and while it should cause no problems, there may be issues with it.

Frankly the fix involved adding one line to the auth.php code, a simple exit statement appears to have been missing.  Please, if your using 2.1.2, 2.1.3, 2.1.3a, or 2.1.4, replace the auth.php with the one attached to this message. 
 

Again, remember, if you spot even a suspected vulnerability, please at least PM me a message about it, or post on the forums here.  I'd rather chase a few wild geese then have even on vulnerability out in the wild.

Edit: Doh, I forgot to add the file...

[HCL Admin]

As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.

[beLite]

As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.

You should hurry up since Windows IIS is not able to read those @#$@ing .htaccess files.. No really, take your time

[HCL Admin]

Hehehe, I was just working on the transcript garbling issue, I'll either get it today or not, either way I'm pushing 2.1.5 out the door since I don't like the current release having a security issue.

[victor]

great, so we must wait for 2.1.5 correction... do you have any temptative date of release it?

thanks! 

[HCL Admin]

Should be this morning sometime.

[HCL Admin]

Ok, might be just a tad longer, the route to my datacenter is down, the ISP knows about it, now I just have to wait until it's back up.  This is where the SVN is stored and I've never had an issue like this before, so we just need to be patient.  I'm going to take the uncommited sources and work on the demo site here in the mean time.