Vivvo CMS Support Forum Home | Free Trial | Online Demo | Docs and Manuals | Order Now   

Go Back   Vivvo CMS Support Forums > Vivvo 4 > News and Product Updates

News and Product Updates To be sure you don't miss out on important product update or patch, we recommend subscribing to this forum. We always post important messages here, so if you subscribe, you'll get an email whenever a new item is posted.

Reply
Thread Tools Display Modes
Unread 02-20-2012, 10:51 AM   #1
Micha
Administrator
 
Micha's Avatar
 
Join Date: Feb 2006
Location: Belgrade
Posts: 2,662
Rep Power: 10
Micha will become famous soon enough
Default Security bulletin 2012-20-02

During internal audit activities we found security issue that make Vivvo potentially vulnerable to attackers who wish to gain access to the application sensitive data. We have released the security update which includes the following improvements.

4.5.x branch and 4.6 branch:
- Protection from File disclosure attacks has been improved.


SEVERITY
Moderately critical

IMPACT
- Malicious users may disclose the contents of CONFIGURATION table via a cache file.

WHERE
From remote.

AFFECTED VERSIONS
All Vivvo versions from 4.5 to 4.6

SOLUTION
We strongly recommend Vivvo users to install the security fix available in the HelpDesk 'File Area'. Alternatively, for users without valid license subscription, you can download the fix attached to this post.

Installation instructions can be found in the README file.


If you face any problems during or after the installation, feel free to contact our support team for help.

Best regards,
Vivvo Support team
Attached Files
File Type: zip Security fix -20122002.zip (6.0 KB, 155 views)
__________________
--[Read Forum Rules and Guidelines before you post!!!]--

Djole, Djole, bas si bezobrazan sto si se pravio da si mali zekan. Zato cu te dobro kazniti...

Last edited by Micha; 02-20-2012 at 02:08 PM.
Micha is offline   Reply With Quote
Unread 02-20-2012, 01:53 PM   #2
agouni
New Vivvo User
 
Join Date: Sep 2008
Posts: 10
Rep Power: 0
agouni is on a distinguished road
Default

Hi there,

The problem is you clean the cache, the .htaccess is removed.

Thanks
agouni is offline   Reply With Quote
Unread 02-20-2012, 02:10 PM   #3
Micha
Administrator
 
Micha's Avatar
 
Join Date: Feb 2006
Location: Belgrade
Posts: 2,662
Rep Power: 10
Micha will become famous soon enough
Default

Quote:
Originally Posted by agouni View Post
Hi there,

The problem is you clean the cache, the .htaccess is removed.

Thanks
This has been fixed.
Please download the archive again and upload the files to your website.
__________________
--[Read Forum Rules and Guidelines before you post!!!]--

Djole, Djole, bas si bezobrazan sto si se pravio da si mali zekan. Zato cu te dobro kazniti...
Micha is offline   Reply With Quote
Unread 02-20-2012, 09:06 PM   #4
zontech
Senior Vivvo User
 
Join Date: Dec 2008
Posts: 346
Rep Power: 6
zontech is on a distinguished road
Default Something still adrift here

Thanks for the vigilant work.

Just downloaded the (updated?) fix db_maintence.php filesize=17,489 and applied as directed.

But after that, on attempting any of the 4 manual tasks (clean cache etc) get the error:

Quote:
Fatal error: Call to undefined method vivvo_lang::get_instance() in /var/www/vhosts/mysite.com/httpdocs/admin/db_maintence.php on line 31
Running 4.1.5.2 which has been very stable and robust.
zontech is offline   Reply With Quote
Unread 02-20-2012, 10:42 PM   #5
zontech
Senior Vivvo User
 
Join Date: Dec 2008
Posts: 346
Rep Power: 6
zontech is on a distinguished road
Default One more security question . .

Re: The security patch 30 June 2011 - compress.php; filesize=4767:
In the header it states:

Quote:
* $Revision: 5491 $
* $Date: 2010-06-10 15:13:09 +0200 (Thu, 10 Jun 2010) $
*
* Vivvo CMS v4.5.2r (build 6082)
Was this patch also relevant for ver 4.1.5.2?

TIA
zontech is offline   Reply With Quote
Unread 02-21-2012, 08:03 AM   #6
Micha
Administrator
 
Micha's Avatar
 
Join Date: Feb 2006
Location: Belgrade
Posts: 2,662
Rep Power: 10
Micha will become famous soon enough
Default

Quote:
Originally Posted by zontech View Post
Thanks for the vigilant work.
Actually Musarika one of our forum members here spotted this issue and let us know, so one big thanks goes to him
__________________
--[Read Forum Rules and Guidelines before you post!!!]--

Djole, Djole, bas si bezobrazan sto si se pravio da si mali zekan. Zato cu te dobro kazniti...
Micha is offline   Reply With Quote
Unread 02-21-2012, 08:13 AM   #7
zontech
Senior Vivvo User
 
Join Date: Dec 2008
Posts: 346
Rep Power: 6
zontech is on a distinguished road
Default

Feel free to delete my posts if that makes it more difficult for hackers, snoopers, and drongos to figure out what's going on.
zontech is offline   Reply With Quote
Unread 02-21-2012, 08:15 AM   #8
Micha
Administrator
 
Micha's Avatar
 
Join Date: Feb 2006
Location: Belgrade
Posts: 2,662
Rep Power: 10
Micha will become famous soon enough
Default

Quote:
Originally Posted by zontech View Post
Re: The security patch 30 June 2011 - compress.php; filesize=4767:
In the header it states:

Was this patch also relevant for ver 4.1.5.2?

TIA
We're still testing this on 4.1.x versions, and so far none of them were affected.
Nevertheless, if you wish to be on the super-safe side, just upload .htaccess from the patch provided in the first post into your cache folder, than go to

admin/db_maintence.php file, and around line 89, replace following line

PHP Code:
if ($filename != "." && $filename != ".." && !is_dir($dir $filename)) { 
with this one

PHP Code:
if ($filename != "." && $filename != ".." && $filename != ".htaccess" && !is_dir($dir $filename)) { 
This line should be changed only once where $dir = VIVVO_FS_ROOT . 'cache/'; is mentioned.
__________________
--[Read Forum Rules and Guidelines before you post!!!]--

Djole, Djole, bas si bezobrazan sto si se pravio da si mali zekan. Zato cu te dobro kazniti...
Micha is offline   Reply With Quote
Unread 02-21-2012, 09:59 PM   #9
zontech
Senior Vivvo User
 
Join Date: Dec 2008
Posts: 346
Rep Power: 6
zontech is on a distinguished road
Default

OK thanks - uploading the .htaccess file in the patch (30 bytes) and modifying the original 4.1.5.2 file to

Quote:
if ($filename != "." && $filename != ".." && $filename != ".htaccess" && !is_dir($dir . $filename)) {
still permits all 4 manual tasks to proceed, and does not delete the .htaccess file during any of these operations.

Will await next advice on this.

Last edited by zontech; 02-21-2012 at 10:01 PM.
zontech is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Order now:

Order your copy of Vivvo now and get:
bullet Six months free upgrades
bullet Free support
bullet Full source code
bullet Immediate download
bullet Starting at only $295.00
Order now

Support HelpDesk:

You can submit a trouble ticket in the support area at any time, using your client area email and password.

Vivvo CMS Resource Center:

The Vivvo CMS Resource Center is your window to a variety of resources that showcase Vivvo's features and technologies. So whether you're brand new to Vivvo or a seasoned user, you can find the information you need right here!

Latest Additions:

Contact us:

Email inquiries
sales@vivvo.net
(Sales inquiries)
support@vivvo.net
(Support inquiries)

All times are GMT +1. The time now is 02:22 PM.
Contact Us - Vivvo Home - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.