Login

Home arrow Security Alerts
Security Alerts
vulnerability: sh404SEF update your version PDF Print E-mail

Please follow the direction below given from the developer of sh404SEF to patch you existing component, if it belongs to the vulberable versions.


This morning, after some users reported hacking of their site, the log files they supplied led me to the discovery of a vulnerability in version 1.2.4. t, u and w of my URL rewriting component, sh404SEF. Under a particular set of circumstances, remote code execution was possible. I apologize for the initial error in code which allowed this, and to the webmasters that suffered hacking due to this vulnerability.

I have uploaded some fixed files on Joomlacode. Here are the details :

A - If you are using version up to and including 1.2.4s, there is no vulnerability, and you don't need to take any action

B - If you are using version 1.2.4.t or version 1.2.4.u, you need to patch your site :
  1 - download the appropriate patch file from Joomlacode (sef404_t2.zip for version 1.2.4.t, or sef404_u2.zip for version 1.2.4.u)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
C - if you are using version 1.2.4.w, you can either patch your site, or uninstall/re-install new version w2

Patching your site :
  1 - download the appropriate patch file from Joomlacode(sef404_w2.zip)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
Installing new version :
  1 - Download the new version 1.2.4.w2, available now from Joomlacode
  2 - using joomla installer, UN-install the current w version from your site
  3 - using Joomla installer, install the new version w2
  All settings and data will be preserved in this process
 
Very soon I'll be releasing next version of sh404SEF, which has a set of security features to avoid this kind of issues as much as possible, not only in sh404SEF, but in other Joomla extensions.
In the mean time, I hope damages will be limited. I'll be available as much as can be at http://extensions.siliana.net/en/ to assist you in the upgrade process if needed.

Your sincerely   

shumisha
 
[ Back ]
We are not responsible for the content of external sites. Images featured here are copyright of their respective owners.