We just released security fix patch (v4.1.5.2) addressing newly found Remote File Disclosure vulnerability, allowing remote attacker to download arbitrary files from target server.

All Vivvo 4.1.x versions are affected by this vulnerability.

We strongly recommend you to apply the security fix to secure your website.

To apply this patch, follow the instructions below:

1. Login to the Client area (https://www.vivvo.net/orders/client_login.php)
2. Download the security patch (73ee5d3b_vivvo_4.1.5.2_security_fix.zip) from the files area section of your account.
3. Place the fixed files over the current ones using the FTP program.

If you face any problems during or after the installation, feel free to contact our support team for help.

does this also include any ver 4.1.2 installs still out there? I know you say 4.1.x - but does this fix count on 4.1.5 for anything? I think we may still have one 4.1.2 out there - and I'm sure there are many others out there like that too... so I thought I would ask for everyone :)

Yes, this patch is applicable to any 4.1.x version, including 4.1.1 and 4.1.2.

I'm using v 4.1.1. must i renew licenses.

I download it and is just onr file (file.php)
Is that correct? it onlyone file?

We just released security fix patch (v4.1.5.2) addressing newly found Remote File Disclosure vulnerability, allowing remote attacker to download arbitrary files from target server.

All Vivvo 4.1.x versions are affected by this vulnerability.

We strongly recommend you to apply the security fix to secure your website.

To apply this patch, follow the instructions below:

1. Login to the Client area (https://www.vivvo.net/orders/client_login.php)
2. Download the security patch (73ee5d3b_vivvo_4.1.5.2_security_fix.zip) from the files area section of your account.
3. Place the fixed files over the current ones using the FTP program.

If you face any problems during or after the installation, feel free to contact our support team for help.

I overwrote the file, just FYI the version reporting in the admin is not reflecting the new point upgrade. Are you sure we aren't missing any files? There was just the one files.php in the zip package.

Thanks Boccio and Dev Team :)

I download it and is just onr file (file.php)
Is that correct? it onlyone file?

LOL Theodore everytime I see one of your posts I always go "WTF is that crawling on my screen" and more often then not my hand goes up to squash that damn bug and I realize it's your sig lol. I guess I'm slow :)

LOL Theodore everytime I see one of your posts I always go "WTF is that crawling on my screen" and more often then not my hand goes up to squash that damn bug and I realize it's your sig lol. I guess I'm slow :)

LMAO! I actually hit my screen with a fly swatter..... damn flies have been buggin me for weeks now and I thought it was one of them buggers :o

... I guess I'm slow :)

LOL yes i have told you that you are old-man and slow :D

I'm using v 4.1.1. must i renew licenses.
No you don't, security fixes are distributed to everyone, regardless of subscription package. You can download the file attached to this message.

I download it and is just onr file (file.php)
Is that correct? it onlyone file?
Yes, only files.php

I overwrote the file, just FYI the version reporting in the admin is not reflecting the new point upgrade. Are you sure we aren't missing any files?
No you're not, we released only the file containing the vulnerability. Since this is critical security issue, we didn't waste time on going through standard procedure (that includes version update), we wanted to be as fast as possible.

Thank you Boccio and Dev. Team

Thank you very much guys :)

LOL yes i have told you that you are old-man and slow :D

lol :( 38 and old and slow

No you're not, we released only the file containing the vulnerability. Since this is critical security issue, we didn't waste time on going through standard procedure (that includes version update), we wanted to be as fast as possible.

You rock, I figured that was the reason but I wanted to make sure just in case ;)

Might I suggest you make sure you include readme files? I got your message on the patch, went to my client area and saw I was going to have to 'upgrade' to 4.1.5.2. There is no readme file with this and I discover, after spending 12 HOURS TODAY uploading the new files and changing permissions on my folders, that you have changed the interface to install.... and now I need my database name, password, etc. in order to finish... which of course, I apparently do not have as everything I enter fails. And my tech guy, given this is FRIDAY night, won't be available for until Monday, so my site will be down until I can get this information from him. A simple readme file that warned of this change would have been really beneficial. Please understand that it's not just web developers that are using Vivvo, and it's very frustrating to have my site down for a long period of time over something that should have been a simple inclusion.

Hm, looks to me like you didn't perform patch at all, but reinstalled complete Vivvo.

The patch contains one (1) single file, and all you need to do is replace it with the current one. Exactly like instruction (http://www.vivvo.net/forums/showpost.php?p=28103&postcount=1) said.

I guess you took complete 4.1.5.2 bundle instead and re-installed entire Vivvo...

and don't I have to? If I'm told to patch 4.1.5.2 and I'm only running 4.1.5.1... then obviously I have to upgrade to 4.1.5.2.. which was in my client area

lol :( 38 and old and slow

OMG :eek: im 40 !

@rivertrish,

I've always taken it that a patch is a small file issued to address a particular problem or bug. In a Windows drawing program* we use it's supplied as an .exe file - you just run it and it does all the file overwrites behind the scenes. In PHP it may just be one file to upload to the correct folder on the server.

An upgrade is an agglomeration of bug fixes AND improvements all in one go, to avoid a constant stream of small patches. Modern upgrades usually write over the top with zero problems.
PHP architecture is different to Windows, but Vivvo's last upgrade was just files to upload then run server side using the browser, and it worked fine.

In both cases, a readme.txt file or other advice by email or on the site is usually provided.

In PHP based projects we have to keep careful track (written record and systematic backup ) of which files have been customised, otherwise its back to square one at upgrade time.

*In the drawing progam zero hours are expended changing code - it just works and you get on with your work. Paradise. In many PHP based apps there are server, PHP version, mySQL and hosting quirks - THEN all the bits that don't work as they should.

BTW, your hosting control panel should be available to you 24/7, and should contain backup and restore routine, which (in Plesk anyway) is a 5 minute job if your bacon needs saving. Provided you create a rotating backup that is !

Even twice a week can be enough to save the aforementioned bacon.

thank you zontech, I believe you're correct in your definitions.

I want to make clear that I'm not blaming Vivvo with my upgrade problems... just saying that the inclusion of a read-me file that warned of a changed interface would have eliminated the problems on my end (as I could have checked for changes to my database information, which I am assuming is why I cannot finish the install).

Hi rivertrish,

As to database backup, we have used phpMyadmin from the Plesk control panel.
For restore, our hosting services will let us export the DB file to local PC OK - but NOT restore via the control panel - they reckon such maneuvers can stuff up their entire server. (Hmmm... how come other providers have this Plesk option enabled?)

You could explore alternatives such as 'HeidiSQL' (free) and 'Auto Backup for mySQL' - (Swordsky Software / costs). It's a bit clunky but it works.

z

Hmmmm... my database info was correct, but somehow the upgrade wiped it out. Now reinstalling a backup. Any ideas why THIS happened?

My database is now restored but I'm nervous about trying to upgrade again because I don't know why the last upgrade wiped out my database. Any thoughts?

Create backup.

My database is now restored but I'm nervous about trying to upgrade again because I don't know why the last upgrade wiped out my database. Any thoughts?

This shouldn't happen under normal circumstances :confused:

Many users have upgraded without problems. Do you have custom fields in your database, or probably your DB/site was in use while your ran the upgrade script, since you might encouter problems if your database was in use during the upgrade process.

Always make sure to close the site through Vivvo admin panel and disconnect/kill all active connections to the database before upgrading.

I think I might not have closed the site before upgrading... I remember doing so, but don't remember checking to make sure it 'took.' And once I lost the database, any visitor to my site got the Vivvo install script, instead of the 'site down for maintenance' message.

I was on day 17 of swine flu when I attempted to upgrade, so here's a lesson... don't work on your website when you're not feeling your best!

I have just found the latest exploit instructions
Maybe you guys (vivvo staff) should tell people how serious it is and advise them to change their passwords as I just managed to hack my own site in less than 10 minutes with the latest hack.

Maybe email your customers and advise them?

Change your vivvo admin pass ASAP as you don't know if someone has your db backup or not.

If you are creating daily backups then you are at risk because it's going to be easy to guess the time/name of your database

Hmm - just about to go live with a client's site - if there is more to this than simply changing passwords, this would be an Urgent++ item please.

replace files.php (see boccio's post) and change your admin password and you'll be ok
if you have no vivvo backups created by vivvo in the backup folder then you have nothing to worry about as there is no way to gain admin access without downloading one of your backups first.

If you use same passwords for mysql database and your admin then you should change it because with this exploit the first thing you get is your config file and your db connection details are in there

replace files.php (see boccio's post) and change your admin password and you'll be ok
Yup already done

if you have no vivvo backups created by vivvo in the backup folder then you have nothing to worry about as there is no way to gain admin access without downloading one of your backups first.

As with other apps we clear these out routinely

If you use same passwords for mysql database and your admin then you should change it because with this exploit the first thing you get is your config file and your db connection details are in there[/QUOTE]

Same passwords is a big no-no around here !

Thanks Dugi.

I replaced the files.php which was the only file on the patch and I still see the link to the patch on my admin menu. Usually when I do an update the link to the patch disappeared, but not this time?

Am I missing any step? Dont we have to do some kind of update installation process or simply a file replacement?


Best rehards,
Indrit

3. Place the fixed files over the current ones using the FTP program.

I think there is ONLy one file in it.

files.php


Is this correct?

I apologize for posting here but when I try to create a new message I get a response that I don't have permission to do that.

I have tried for a second time to upgrade to 4.1.5.2 and once again have completely lost my website. When I go to 'maintenance' in the vivvo back end and tell it to restore my database, it does not do so. My computer guy is now going in and reinstalling all my files and folders from my last backup, so that I can go back to version 4.1.5.1. I am now over 20 hours into trying to upgrade, mostly because changing folder and file permissions takes over five hours each time I try to upgrade.

What am I not understanding here? I would appreciate any guidance as I can't afford to keep having my website down, followed by the time of a tech guy trying to reinstall backups. Should I give up on Vivvo and plan that 4.1.5.1 is the highest version I can use?

The only file that was changed in 4.1.5.2 was files.php, so you can just take that one from 4.1.5.2 installation and use it to overwrite files.php in your 4.1.5.1 installation. (just note that if you only change this file you will still get in admin version 4.1.5.1 reported)

Wow... quite a bump...http://flashvidplayer.com/smileyhappy.ico

I want to download 4.1.5.2 security.How i can download it?

You can download it from your client area:
https://www.vivvo.net/orders/client_login.php

wtf. just saw this message in my rss reader and now i realised that it's 2 years old. LOL