Help Center Live Community
April 18, 2014, 12:35:43 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: Potential Security Issue in 2.1.4 and earlier versions.  (Read 19514 times)
HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« on: August 17, 2007, 07:19:22 AM »

It appears that there maybe a security issue with certain administrative files on all recent versions of HCL.  We are aware of the issue, and are working to expedite a fix for these issues.  I should have at least a hotfix tonight, and a new version up in a few days with the security patch installed on the sourceforge page.

This issue is detailed here and may cause the admin to be locked out, or for your HCL install to be hacked.  Until the hotfix is released (in the next few hours) I recommend putting an .htaccess in your admin folder such as this:

Code: (.htaccess)
Order Deny, Allow
Deny from all
Allow from 000.000.000.000

Change the 000.000.000.000 to your IP address.  If you need multiple address' then separate each address with a space.
This is on necessary until the hotfix is released, again, this should be sometime this morning (Friday, August 17th)

Remember, if you hear of ANY security related issue with HCL, Please, please, please let us know.  These types of issues can cause serious repercussions for others. 
« Last Edit: August 17, 2007, 07:36:45 AM by mlzhosting » Logged

how may I help you today?
HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« Reply #1 on: August 17, 2007, 08:03:24 AM »

Here is the hotfix file, which I shall be posting on the portal page in a few minutes, simply extract the auth.php file from the archive and replace the hcl/class/auth.php on your webserver.

NOTE:  This hotfix is untested at this time, and while it should cause no problems, there may be issues with it.

Frankly the fix involved adding one line to the auth.php code, a simple exit statement appears to have been missing.  Please, if your using 2.1.2, 2.1.3, 2.1.3a, or 2.1.4, replace the auth.php with the one attached to this message. 
 

Again, remember, if you spot even a suspected vulnerability, please at least PM me a message about it, or post on the forums here.  I'd rather chase a few wild geese then have even on vulnerability out in the wild. Smiley

Edit: Doh, I forgot to add the file...
« Last Edit: August 17, 2007, 08:17:31 AM by mlzhosting » Logged

how may I help you today?
HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« Reply #2 on: August 17, 2007, 02:55:55 PM »

As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.
Logged

how may I help you today?
belite
Guest
« Reply #3 on: August 26, 2007, 12:46:17 AM »

As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.
You should hurry up since Windows IIS is not able to read those @#$@ing .htaccess files.. No really, take your time Smiley
Logged
HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« Reply #4 on: August 26, 2007, 01:08:31 AM »

Hehehe, I was just working on the transcript garbling issue, I'll either get it today or not, either way I'm pushing 2.1.5 out the door since I don't like the current release having a security issue.
Logged

how may I help you today?
victor
HCL Member
****
Offline Offline

Posts: 266


WWW
« Reply #5 on: August 27, 2007, 04:45:27 PM »

great, so we must wait for 2.1.5 correction... do you have any temptative date of release it?

thanks!  Smiley
Logged

HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« Reply #6 on: August 27, 2007, 05:05:16 PM »

Should be this morning sometime.
Logged

how may I help you today?
HCL Admin
Administrator
HCL Superstar
*****
Offline Offline

Posts: 882


WWW
« Reply #7 on: August 27, 2007, 05:39:11 PM »

Ok, might be just a tad longer, the route to my datacenter is down, the ISP knows about it, now I just have to wait until it's back up.  This is where the SVN is stored and I've never had an issue like this before, so we just need to be patient.  I'm going to take the uncommited sources and work on the demo site here in the mean time.
Logged

how may I help you today?
sunny123
Not too much to say...
*
Offline Offline

Posts: 5


« Reply #8 on: August 13, 2010, 08:47:18 AM »

Technology wow power leveling has its own pros and cons.  Without a doubt we can say that it has more advantages than disadvantages.  Technology has brought wow power leveling so many changes in order to make our lives convenient.  Call wow power leveling recording is one of the good features introduced ever. There are many wow gold occasions where aion power leveling call recording is needed aion gold especially in corporate world.  A complete conference cheap wow power leveling session can buy wow power leveling be recorded for future references.  If cheap wow gold an important employee has been unable to attend a particular conference, he can aion power leveling listed to the call recording and get the complete information related to the conference.
Logged
awais_x
Not too much to say...
*
Offline Offline

Posts: 1


« Reply #9 on: November 01, 2011, 12:19:25 AM »

Hmmm!!!! interesting post i like to share something more at this site please read it carefully and get more information. .
Web development
Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.8 | SMF © 2006-2008, Simple Machines LLC Valid XHTML 1.0! Valid CSS!
Page created in 0.148 seconds with 20 queries.

Google visited last this page April 08, 2014, 08:33:15 PM