MAXdev - MDPro the most easy to use and feature rich GPL CMS

I'm disgusted, very disgusted, to see that, we have received some blackmails to ask us money to know a vulnerability with SQL Injection afflict MDPro otherwise, if we don't pay, they will share this bug with some groups hackers, then today we have found some MD sites defaced, MAXdev.com, MAXdevitalia.com, site of our no profit association gpldev.org ..... yes I'm very disgusted because we work for free, we work for open source community and these people ask us money to let us know about bug, how you want call this persons ?? hackers ?? men ?? or what ?

We are under police investigation, we already know some identities and we will provide with all steps needed to punish these people, we will keep you informed about that.

You can read about this bug here

We invite all admins to update all MDPro web sites ASAP, you can get temporary fix in our Areafiles area, or you can click here, you just need to overwrite file included, we don't guarantee but it should work with MDPro 1.076

TiMax
Project Manager

1 Comment

Support and security : Security fix's for MDPro 1.0.76 - 20/02/2007

Security fix for MDPro 1.076, please update your sitea as soon as possible.

You can download this fix here just overwrite all files

Post comments

Support and security : Security fix's for MDPro 1.0.76 - 21/11/2006

The MAXdev team has been notified of a security issue, the problem was found to be due to directory traversal vulnerability in error.php in MDPro 1.076 and earlier allows remote attackers to include and execute arbitrary local files under certain circumstances via the PNSVlang session variable which is included by error.php.

The patch is available from HERE this affects all versions of MDPro released up until this point.

Many thanks go to Larsneo for his help and collaboration

We strongly recommend all users apply this patch to their sites ASAP, all MDPro 1.0.76 packages have been updated to include this fix as from the 21-Nov-06 07:00 GMT

5 Comments

Support and security : Security fixes for MDPro 1.0.76

The MAXdev team has been notified of a security issue with Lost Password function you can read about this exploit here

Another small bug was found with insertion of objects code, flash, video etc. This is not a security issue but we take this occasion to release this fix also.

We still recommend having the AntiCracker feature enabled.

The patch is available from HERE to apply this fix just replace files

Please note that the MDStaff works always to keep MDPro stable and secure and another time we release a fix less than 24 hours after we have notice about it.

We strongly recommend all users apply this patch to their sites ASAP, all MDPro 1.0.76 packages have been updated to include this fix as from 30/10/2006

TiMax

Post comments

Support and security : Security fixes for MDPro 1.0.76

Security fixes for MDPro

The MAXdev team has been notified of a security issue by http://www.jpcert.or.jp the problem was found to be due to poor performance of the pnVarCleanFromInput function at removing potentially harmful input that may result in XSS injection attacks

Another small bug was found with the AntiCracker which may have made it partially ineffective. We still recommend having the AntiCracker enabled, as it would have blocked against the majority of these attacks prior to the patch

The patch is available from HERE this affects all versions of MDPro released up until this point. For MDLite RC testers, MDLite is still marginally affected, the changes to MDPro 1.0.76 have already been backported in CVS and will be included with the next release

Many thanks go to Masaki Kubo from JPCERT/CC for their assistance in bringing this issue to our attention and testing the patch prior to release

We strongly recommend all users apply this patch to their sites ASAP, all MDPro 1.0.76 packages have been updated to include this fix as from the 18-Sep-06 09:00 GMT

PeteBest

Post comments

Number of pages: 2 Go to page 1 2