I'm disgusted, very disgusted, to see that, we have received some blackmails to ask us money to know a vulnerability with SQL Injection afflict MDPro otherwise, if we don't pay, they will share this bug with some groups hackers, then today we have found some MD sites defaced, MAXdev.com, MAXdevitalia.com, site of our no profit association gpldev.org ..... yes I'm very disgusted because we work for free, we work for open source community and these people ask us money to let us know about bug, how you want call this persons ?? hackers ?? men ?? or what ?

We are under police investigation, we already know some identities and we will provide with all steps needed to punish these people, we will keep you informed  about that.

You can read about this bug here 

We invite all admins to update all MDPro web sites ASAP, you can get temporary fix in our Areafiles area, or you can click here,  you just need to overwrite file included, we don't guarantee but it should work with MDPro 1.076

TiMax
Project Manager 

Security fix for MDPro 1.076, please update your sitea as soon as possible.

You can download this fix here just overwrite all files

The MAXdev team has been notified of a security issue, the problem was found to be due to directory traversal vulnerability in error.php in MDPro 1.076 and earlier allows remote attackers to include and execute arbitrary local files under certain circumstances via the PNSVlang session variable which is included by error.php.

The patch is available from HERE this affects all versions of MDPro released up until this point.

Many thanks go to Larsneo for his help and collaboration

We strongly recommend all users apply this patch to their sites ASAP, all MDPro 1.0.76 packages have been updated to include this fix as from the 21-Nov-06 07:00 GMT

The MAXdev team has been notified of a security issue with Lost Password function you can read about this exploit here

Another small bug was found with insertion of objects code, flash, video etc. This is not a security issue but we take this occasion to release this fix also.

We still recommend having the AntiCracker feature enabled.

The patch is available from HERE to apply this fix just replace files

Please note that the MDStaff works always to keep MDPro stable and secure and another time we release a fix less than 24 hours after we have notice about it.

We strongly recommend all users apply this patch to their sites ASAP, all MDPro 1.0.76 packages have been updated to include this fix as from 30/10/2006

TiMax

Thanks to Andreas Krapohl [larsneo] we was notified about a security issue within the current Messages module.

VULNERABILTIES- missing input validation within /modules/Messages/readpmsg.php and /modules/Messages/readpmsgob.php

SOLUTION- It is recommended that all admins update these files as soon as possible, to do that, just download fix and replace both files.

All MD-Pro 1.0.72 downloads from this site have now had this update already applied to them, including the 1.0.72 upgrade release. You only need this security fix if you downloaded MD-Pro before the date on this announcement. If in doubt, please overwrite your existing files, just to be sure

MD Staff

Thanks to Andreas Krapohl [larsneo] of Postnuke Dev team we was notified about a security issue within the current MD-Pro and xmlrpc library.VULNERABILTIES- remote code injection via xml rpc library