Charlottezweb

Recent Posts

Pages: [1] 2 3 ... 10
1
Script Chat / Joomla Security Notice :: May 23, 2018
« Last post by Jason on May 23, 2018, 01:07:22 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
Joomla! Security News

________________________________________
•    [20180509] - Core - XSS vulnerability in the media manager
•    [20180508] - Core - Possible XSS attack in the redirect method
•    [20180507] - Core - Session deletion race condition
•    [20180506] - Core - Filter field in com_fields allows remote code execution
•    [20180505] - Core - XSS Vulnerabilities & additional hardening
•    [20180504] - Core - Installer leaks plain text password to local user
•    [20180503] - Core - Information Disclosure about unpublished tags
•    [20180502] - Core - Add PHAR files to the upload blacklist
•    [20180501] - Core - ACL violation in access levels
[20180509] - Core - XSS vulnerability in the media manager
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Low
  -  Versions: 1.5.0 through 3.8.7
  -  Exploit type: XSS
  -  Reported Date: 2017-October-28
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-6378
Description
Inadequate filtering of file and folder names lead to various XSS attack vectors in the media manager.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST
 
 

[20180508] - Core - Possible XSS attack in the redirect method
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Low
  -  Versions: 3.1.2 through 3.8.7
  -  Exploit type: XSS
  -  Reported Date: 2018-March-30
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11328
Description
Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in a XSS vulnerability.
Affected Installs
Joomla! CMS versions 3.1.2 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST
 
 

[20180507] - Core - Session deletion race condition
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Medium
  -  Severity: Low
  -  Versions: 3.0.0 through 3.8.7
  -  Exploit type: Session race condition
  -  Reported Date: 2017-July-08
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11324
Description
A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Additional Resources
  -  Links Go Here
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST
 
 

[20180506] - Core - Filter field in com_fields allows remote code execution
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Moderate
  -  Severity: Low
  -  Versions: 3.7.0 through 3.8.7
  -  Exploit type: Remote Code Execution
  -  Reported Date: 2018-May-14
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11321
Description
Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle, JSST
 
 

[20180505] - Core - XSS Vulnerabilities & additional hardening
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Moderate
  -  Severity: Moderate
  -  Versions: 3.0.0 through 3.8.7
  -  Exploit type:XSS
  -  Reported Date:2018-February-02 & 2018-March-27
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11326
Description
Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Additional Resources
  -  You can find more details and other default changes in 3.8.8 at the Documentation.
Contact
The JSST at the Joomla! Security Centre.
Reported By: Kai Zhao of 3H Security Team & Zhouyuan Yang (FortiGuard Labs)
 
 

[20180504] - Core - Installer leaks plain text password to local user
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Low
  -  Versions: 3.0.0 through 3.8.7
  -  Exploit type: Information Disclosure
  -  Reported Date: 2018-February-09
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11325
Description
The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: Sascha Egerer
 
 

[20180503] - Core - Information Disclosure about unpublished tags
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: Low
  -  Severity: Moderate
  -  Versions: 3.1.0 through 3.8.7
  -  Exploit type: Information Disclosure
  -  Reported Date: 2018-April-27
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11327
Description
Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission .
Affected Installs
Joomla! CMS versions 3.1.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor, JSST
 
 

[20180502] - Core - Add PHAR files to the upload blacklist
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: High
  -  Severity: Low
  -  Versions: 2.5.0 through 3.8.7
  -  Exploit type: Malicious file upload
  -  Reported Date: 2018-March-14
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11322
Description
Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: Demis Palma, JSST
 
 

[20180501] - Core - ACL violation in access levels
Posted: 22 May 2018 06:30 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: High
  -  Severity: Low
  -  Versions: 2.5.0 through 3.8.7
  -  Exploit type: ACL violation
  -  Reported Date: 2018-March-08
  -  Fixed Date: 2018-May-22
  -  CVE Number: CVE-2018-11323
Description
Inadequate checks allowed users to modify the access levels of user groups with higher permissions.
Affected Installs
Joomla! CMS versions 2.5.0 through 3.8.7
Solution
Upgrade to version 3.8.8
Contact
The JSST at the Joomla! Security Centre.
Reported By: Matias Aguirre, JSST
2
News & Announcements / Charlottezweb Client Area upgraded
« Last post by Jason on April 08, 2018, 05:13:45 PM »
The Client Area (billing, support, ordering) system on Charlottezweb has been upgraded.  

Please visit this thread for any questions/concerns.

https://www.charlottezweb.com/forums/index.php?topic=2132.0

Thank you!
-Jason
3
Server Updates & Outages / April 8, 20118 :: Client Area upgraded
« Last post by Jason on April 08, 2018, 05:12:59 PM »
I've upgraded the system that runs our Client Area on Charlottezweb.  This is the area where you can place orders, request support, manage your hosting, domains, etc.

https://www.charlottezweb.com/clients/clientarea.php

If you have any questions or spot any issues, please let me know.

Cheers,
Jason
4
Please visit SMF's announcement post on March 23, 2018:

https://www.simplemachines.org/community/index.php?topic=559497

Quote
In order to provide enhanced support and focus development on upcoming releases, the Simple Machines Forum Team is announcing that version 1.1 of our software will no longer be receiving updates.

SMF 1.1 is outdated in many ways, including in relation to a number of security issues. We suggest that anyone who is still using SMF 1.1 should migrate to SMF 2.0 as soon as possible.  The support board for SMF 1.1 will remain open for the time being to allow anyone who has questions about how to upgrade their forum or encounters any problems in doing so to request assistance from our support team.

We are aware that some of our community members have created temporary solutions to the incompatibility problems of the 1.1 series with PHP.  We invite those of you who have created these solutions to submit them to our Customization Site. The Customization Team will review the submissions and make them public for the benefit of the entire community. We are open to patches being made, but we need to review them before they are made publicly available to the community.

Development will focus on version 2.1, but we will continue supporting and updating version 2.0.x.

For more information, please see:


Regards,

Simple Machines Forum Team
5
Script Chat / Joomla Security Notice :: March 13, 2018
« Last post by Jason on March 15, 2018, 11:29:42 AM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
Joomla! Security News

________________________________________
[20180301] - Core - SQLi vulnerability User Notes
Posted: 13 Mar 2018 06:45 AM PDT
  -  Project: Joomla!
  -  SubProject: CMS
  -  Impact: High
  -  Severity: Low
  -  Versions: 3.5.0 through 3.8.5
  -  Exploit type: SQLi
  -  Reported Date: 2018-March-08
  -  Fixed Date: 2018-March-12
  -  CVE Number: CVE-2018-8045
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the User Notes list view
Affected Installs
Joomla! CMS versions 3.5.0 through 3.8.5
Solution
Upgrade to version 3.8.6
Contact
The JSST at the Joomla! Security Centre.
Reported By: Entropy Moe
6
Script Chat / Joomla Security Notice :: January 31, 2018
« Last post by Jason on February 03, 2018, 04:32:43 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
Joomla! Security News

________________________________________
•    [20180104] - Core - SQLi vulnerability in Hathor postinstall message
•    [20180103] - Core - XSS vulnerability in Uri class
•    [20180102] - Core - XSS vulnerability in com_fields
•    [20180101] - Core - XSS vulnerability in module chromes
[20180104] - Core - SQLi vulnerability in Hathor postinstall message
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: High
-  Severity: Low
-  Versions: 3.7.0 through 3.8.3
-  Exploit type: SQLi
-  Reported Date: 2017-November-17
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6376
Description
The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Karim Ouerghemmi, ripstech.com
 
 

[20180103] - Core - XSS vulnerability in Uri class
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 1.5.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2017-November-17
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6379
Description
Inadequate input filtering in the Uri class (formerly JUri) leads to a XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Octavian Cinciu
 
 

[20180102] - Core - XSS vulnerability in com_fields
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 3.7.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2018-January-20
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6377
Description
Inadequate input filtering in com_fields leads to a XSS vulnerability in multiple field types, i.e. list, radio and checkbox.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: Benjamin Trenkle, JSST
 
 

[20180101] - Core - XSS vulnerability in module chromes
Posted: 30 Jan 2018 06:45 AM PST
-  Project: Joomla!
-  SubProject: CMS
-  Impact: Moderate
-  Severity: Low
-  Versions: 3.0.0 through 3.8.3
-  Exploit type: XSS
-  Reported Date: 2018-January-21
-  Fixed Date: 2018-January-30
-  CVE Number: CVE-2018-6380
Description
Lack of escaping in the module chromes leads to XSS vulnerabilities in the module system.
Affected Installs
Joomla! CMS versions 3.0.0 through 3.8.3
Solution
Upgrade to version 3.8.4
Contact
The JSST at the Joomla! Security Centre.
Reported By: David Jardin, JSST
7
Script Chat / SMF 2.0.15 Released :: November 20, 2017
« Last post by Jason on November 22, 2017, 09:51:10 PM »
Please visit SMF's release post on Nov 20:

https://www.simplemachines.org/community/index.php?topic=557176

Quote
Dear Members,

Simple Machines Forum has released a new patch to the 2.0.x line, bringing our latest release version to 2.0.15.

This patch adds both important security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly.
You can view the changelog for this release, per usual, on the downloads page.

The quick summary of changes is as follows:

  • A security issue reported by Daniel Le Gall from SCRT SA
  • Various bug fix with Proxy handler
  • Login fixes for SSI and Maintenance mode
  • Various Search fixes
  • Email handling issue fixed when using SendTopic
  • Fixed SM Stat collection and added opt in/out functionality to the Admin Panel


Please see the changelog for more information.

If you are running version 2.0.14, you can update your forum to the latest version by using the package manager. As usual, you should see the update notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks > Fetch Simple Machines Files (check the "Run Now" checkbox and click the "Run Now" button)).

If you use older versions of SMF, you can upgrade directly to 2.0.15 from whichever version you are currently using by using the "full upgrade" archive from the downloads page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the full upgrade.
8
Script Chat / Joomla Security Notice :: November 9, 2017
« Last post by Jason on November 10, 2017, 10:05:23 AM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Quote
Joomla! Security News

________________________________________
•    [20171103] - Core - Information Disclosure
•    [20171102] - Core - 2-factor-authentication bypass
•    [20171101] - Core - LDAP Information Disclosure
[20171103] - Core - Information Disclosure
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.8.1
- Exploit type: Information Disclosure
- Reported Date: 2017-May-17
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-16633
Description
A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Internal JSST audit
 
 

[20171102] - Core - 2-factor-authentication bypass
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 3.2.0 through 3.8.1
- Exploit type:
- Reported Date: 2017-October-31
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-16634
Description
A bug allowed third parties to bypass a user's 2-factor-authentication method.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Yarince
 
 

[20171101] - Core - LDAP Information Disclosure
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.8.1
- Exploit type: Information Disclosure
- Reported Date: 2017-October-06
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

9
Script Chat / Joomla Security Notice :: September 20, 2017
« Last post by Jason on September 22, 2017, 04:25:11 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
[20170901] - Core - Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-August-4
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14595
Description
A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Michal Prochaczek
 

[20170902] - Core - LDAP Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-July-27
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH
10
The following post is being sent to customers tonight who use our advanced spam filtering add-on service provided by PostLayer:

Quote
Greetings from Charlottezweb!
 
You’re receiving this email as a customer who is using the Postlayer spam filtering service that we configured for your domain.
 
By now, you’ve likely received some emails from them around the conversion of their service to FuseMail, supported by Excel Micro.  
 
If not, here’s a quick summary:  PostLayer (the service you were/are using through Charlottezweb), was acquired a month or so back by a service called FuseMail.  FuseMail  (in North America) is managed by a company called Excel Micro.  You may have received emails directly from Excel Micro or FuseMail.  If not, I’ll give you a summary of what’s going on.
 
Essentially, PostLayer was aquired and FuseMail has been in the process of migrating PostLayer customers to their platform.
 
I ran into a few issues during conversion but I now have access to manage things on the new platform.  I will share more details in the next week or so as I learn more.
 
For now, you may notice that you’re starting to receive quarantine notifications from the address:  spamreport@mailanyone.net
 
This is a legitimate email from FuseMail that you’ll want to review for any emails that you want to release.  This is their version of the quarantine alerts you receive from PostLayer.   I’m hoping I can customize these emails a bit but for now, please make sure your mail client is set to accept them.
 
At some point in the near future, the PostLayer emails will cease.
 
A few side comments:  
 
I’ve heard good things on FuseMail but need to do research.  I would *truly* appreciate your feedback in the coming days/weeks on what your experience is with spam.  In other words, does the new solution work as well (if not better) than the old one?  Is it worse?  Any concerns?  Etc…
 
I’m a reseller with their offering as of now and they also offer Proofpoint (which is what I have setup on my @charlottezweb.com email).  It’s more expensive than PostLayer/FuseMail but works incredibly for me.  
 
I will continue to explore this platform to decide if this is our forward-model.
 
Your questions and feedback are most welcomed!

Cheers,
 Jason
Pages: [1] 2 3 ... 10