Help Center Live Community

General => Announcements => Topic started by: HCL Admin on August 17, 2007, 07:19:22 AM



Title: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 17, 2007, 07:19:22 AM
It appears that there maybe a security issue with certain administrative files on all recent versions of HCL.  We are aware of the issue, and are working to expedite a fix for these issues.  I should have at least a hotfix tonight, and a new version up in a few days with the security patch installed on the sourceforge page.

This issue is detailed here (http://secunia.com/advisories/26352/) and may cause the admin to be locked out, or for your HCL install to be hacked.  Until the hotfix is released (in the next few hours) I recommend putting an .htaccess in your admin folder such as this:

Code: (.htaccess)
Order Deny, Allow
Deny from all
Allow from 000.000.000.000

Change the 000.000.000.000 to your IP address.  If you need multiple address' then separate each address with a space.
This is on necessary until the hotfix is released, again, this should be sometime this morning (Friday, August 17th)

Remember, if you hear of ANY security related issue with HCL, Please, please, please let us know.  These types of issues can cause serious repercussions for others. 


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 17, 2007, 08:03:24 AM
Here is the hotfix file, which I shall be posting on the portal page in a few minutes, simply extract the auth.php file from the archive and replace the hcl/class/auth.php on your webserver.

NOTE:  This hotfix is untested at this time, and while it should cause no problems, there may be issues with it.

Frankly the fix involved adding one line to the auth.php code, a simple exit statement appears to have been missing.  Please, if your using 2.1.2, 2.1.3, 2.1.3a, or 2.1.4, replace the auth.php with the one attached to this message. 
 

Again, remember, if you spot even a suspected vulnerability, please at least PM me a message about it, or post on the forums here.  I'd rather chase a few wild geese then have even on vulnerability out in the wild. :)

Edit: Doh, I forgot to add the file...


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 17, 2007, 02:55:55 PM
As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: ancer on August 26, 2007, 12:46:17 AM
As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.
You should hurry up since Windows IIS is not able to read those @#$@ing .htaccess files.. No really, take your time :)


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 26, 2007, 01:08:31 AM
Hehehe, I was just working on the transcript garbling issue, I'll either get it today or not, either way I'm pushing 2.1.5 out the door since I don't like the current release having a security issue.


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: victor on August 27, 2007, 04:45:27 PM
great, so we must wait for 2.1.5 correction... do you have any temptative date of release it?

thanks!  :)


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 27, 2007, 05:05:16 PM
Should be this morning sometime.


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: HCL Admin on August 27, 2007, 05:39:11 PM
Ok, might be just a tad longer, the route to my datacenter is down, the ISP knows about it, now I just have to wait until it's back up.  This is where the SVN is stored and I've never had an issue like this before, so we just need to be patient.  I'm going to take the uncommited sources and work on the demo site here in the mean time.


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: sunny123 on August 13, 2010, 08:47:18 AM
Technology wow power leveling has its own pros and cons.  Without a doubt we can say that it has more advantages than disadvantages.  Technology has brought wow power leveling so many changes in order to make our lives convenient.  Call wow power leveling recording is one of the good features introduced ever. There are many wow gold occasions where aion power leveling call recording is needed aion gold especially in corporate world.  A complete conference cheap wow power leveling session can buy wow power leveling be recorded for future references.  If cheap wow gold an important employee has been unable to attend a particular conference, he can aion power leveling listed to the call recording and get the complete information related to the conference.


Title: Re: Potential Security Issue in 2.1.4 and earlier versions.
Post by: awais_x on November 01, 2011, 12:19:25 AM
Hmmm!!!! interesting post i like to share something more at this site please read it carefully and get more information. .
Web development