Charlottezweb

Recent Posts

Pages: [1] 2 3 ... 10
1
Script Chat / SMF 2.0.15 Released :: November 20, 2017
« Last post by Jason on November 22, 2017, 09:51:10 PM »
Please visit SMF's release post on Nov 20:

https://www.simplemachines.org/community/index.php?topic=557176

Quote
Dear Members,

Simple Machines Forum has released a new patch to the 2.0.x line, bringing our latest release version to 2.0.15.

This patch adds both important security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly.
You can view the changelog for this release, per usual, on the downloads page.

The quick summary of changes is as follows:

  • A security issue reported by Daniel Le Gall from SCRT SA
  • Various bug fix with Proxy handler
  • Login fixes for SSI and Maintenance mode
  • Various Search fixes
  • Email handling issue fixed when using SendTopic
  • Fixed SM Stat collection and added opt in/out functionality to the Admin Panel


Please see the changelog for more information.

If you are running version 2.0.14, you can update your forum to the latest version by using the package manager. As usual, you should see the update notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks > Fetch Simple Machines Files (check the "Run Now" checkbox and click the "Run Now" button)).

If you use older versions of SMF, you can upgrade directly to 2.0.15 from whichever version you are currently using by using the "full upgrade" archive from the downloads page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the full upgrade.
2
Script Chat / Joomla Security Notice :: November 9, 2017
« Last post by Jason on November 10, 2017, 10:05:23 AM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Quote
Joomla! Security News

________________________________________
•    [20171103] - Core - Information Disclosure
•    [20171102] - Core - 2-factor-authentication bypass
•    [20171101] - Core - LDAP Information Disclosure
[20171103] - Core - Information Disclosure
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.8.1
- Exploit type: Information Disclosure
- Reported Date: 2017-May-17
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-16633
Description
A logic bug in com_fields exposed read-only information about a site's custom fields to unauthorized users.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Internal JSST audit
 
 

[20171102] - Core - 2-factor-authentication bypass
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 3.2.0 through 3.8.1
- Exploit type:
- Reported Date: 2017-October-31
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-16634
Description
A bug allowed third parties to bypass a user's 2-factor-authentication method.
Affected Installs
Joomla! CMS versions 3.2.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Yarince
 
 

[20171101] - Core - LDAP Information Disclosure
Posted: 07 Nov 2017 07:00 AM PST
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.8.1
- Exploit type: Information Disclosure
- Reported Date: 2017-October-06
- Fixed Date: 2017-November-07
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result in disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.8.1
Solution
Upgrade to version 3.8.2
Contact
The JSST at the Joomla! Security Centre.
Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH

3
Script Chat / Joomla Security Notice :: September 20, 2017
« Last post by Jason on September 22, 2017, 04:25:11 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
[20170901] - Core - Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-August-4
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14595
Description
A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Michal Prochaczek
 

[20170902] - Core - LDAP Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-July-27
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH
4
The following post is being sent to customers tonight who use our advanced spam filtering add-on service provided by PostLayer:

Quote
Greetings from Charlottezweb!
 
You’re receiving this email as a customer who is using the Postlayer spam filtering service that we configured for your domain.
 
By now, you’ve likely received some emails from them around the conversion of their service to FuseMail, supported by Excel Micro.  
 
If not, here’s a quick summary:  PostLayer (the service you were/are using through Charlottezweb), was acquired a month or so back by a service called FuseMail.  FuseMail  (in North America) is managed by a company called Excel Micro.  You may have received emails directly from Excel Micro or FuseMail.  If not, I’ll give you a summary of what’s going on.
 
Essentially, PostLayer was aquired and FuseMail has been in the process of migrating PostLayer customers to their platform.
 
I ran into a few issues during conversion but I now have access to manage things on the new platform.  I will share more details in the next week or so as I learn more.
 
For now, you may notice that you’re starting to receive quarantine notifications from the address:  spamreport@mailanyone.net
 
This is a legitimate email from FuseMail that you’ll want to review for any emails that you want to release.  This is their version of the quarantine alerts you receive from PostLayer.   I’m hoping I can customize these emails a bit but for now, please make sure your mail client is set to accept them.
 
At some point in the near future, the PostLayer emails will cease.
 
A few side comments:  
 
I’ve heard good things on FuseMail but need to do research.  I would *truly* appreciate your feedback in the coming days/weeks on what your experience is with spam.  In other words, does the new solution work as well (if not better) than the old one?  Is it worse?  Any concerns?  Etc…
 
I’m a reseller with their offering as of now and they also offer Proofpoint (which is what I have setup on my @charlottezweb.com email).  It’s more expensive than PostLayer/FuseMail but works incredibly for me.  
 
I will continue to explore this platform to decide if this is our forward-model.
 
Your questions and feedback are most welcomed!

Cheers,
 Jason
5
Script Chat / Joomla Security Notice :: July 5, 2017
« Last post by Jason on July 07, 2017, 06:21:42 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Quote
Joomla! Security News

________________________________________
•    [20170701] - Core - Information Disclosure
•    [20170702] - Core - XSS Vulnerability
•    [20170703] - Core - XSS Vulnerability
[20170701] - Core - Information Disclosure
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: High
-  Versions: 1.7.3 - 3.7.2
-  Exploit type: Information Disclosure
-  Reported Date: 2016-Feb-05
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-9933
Description
Improper cache invalidation leads to disclosure of form contents.
Affected Installs
Joomla! CMS versions 1.7.3-3.7.2
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Jeff Channell
 
 

[20170702] - Core - XSS Vulnerability
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: High
-  Versions: 1.7.3 - 3.7.2
-  Exploit type: XSS
-  Reported Date: 2017-June-04
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-9934
Description
Missing CSRF token checks and improper input validation lead to an XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.7.3-3.7.2
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Envo
 
 

[20170703] - Core - XSS Vulnerability
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: Low
-  Versions: 1.5.0 through 3.7.2
-  Exploit type: XSS
-  Reported Date: 2017-June-22
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-7985
Description
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.6.5
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fortinet's FortiGuard Labs
6
Server Updates & Outages / Re: Imunify360 added to all servers - June 2017
« Last post by Jason on June 12, 2017, 06:39:52 PM »
Greetings,

I wanted to clarify a few points as I've had customers reach out with questions today.  :)

We run ModSecurity on all of our servers and have had that in place for at least 1-2 years.  

Imunify360 uses ModSecurity for a *part* of what it does but it works on top of it.  For example, if ModSecurity blocks a function on your site that it thinks is suspicious, Imunify360 may display a warning message and/or an option to unblock yourself.  This isn't Imunify360 blocking you, it's ModSecurity.

That being said, I think Imunify360 (or perhaps ModSec) is driving a more agressive set of security rules.  I've had to whitelist a lot of rules in the past few days that weren't an issue previously.

If you experience any errors in your website that you didn't have before (for example, updating your site via WordPress), please reach out to me.

I appreciate your patience as we try to optimize this solution.  I know it's frustrating when things don't work as expected but I'm hopeful that the security provided by these solutions will outweigh the issues we may see upfront.

Regards,
Jason
7
News & Announcements / Charlottezweb deploys Imunify360
« Last post by Jason on June 11, 2017, 04:55:57 PM »
Please visit this thread to learn more: https://www.charlottezweb.com/forums/index.php?topic=2121.0

8
Server Updates & Outages / Imunify360 added to all servers - June 2017
« Last post by Jason on June 11, 2017, 04:55:02 PM »
June 2017:  Charlottezweb announces Imunify360 deployment.

I'm pleased to announce that Charlottezweb has now deployed Imunify360 to all our shared servers.

I will create a new page on our site as part of our website relaunch in the next 1-2 months with full details but if you're interested now, please visit their site to read full details:

http://imunify360.com/

Cheers,
Jason
9
Script Chat / Joomla Security Notice :: May 18, 2017
« Last post by Jason on May 18, 2017, 08:26:45 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Joomla! Security News


[20170501] - Core - SQL Injection
Posted: 17 May 2017 07:00 AM PDT
Project: Joomla!
SubProject: CMS
Severity: High
Versions: 3.7.0
Exploit type: SQL Injection
Reported Date: 2017-May-11
Fixed Date: 2017-May-17
CVE Number: CVE-2017-8917

Description
Inadequate filtering of request data leads to a SQL Injection vulnerability.

Affected Installs
Joomla! CMS versions 3.7.0

Solution
Upgrade to version 3.7.1

Contact
The JSST at the Joomla! Security Centre.
10
Script Chat / SMF 2.0.14 Released :: May 14, 2017
« Last post by Jason on May 14, 2017, 08:13:20 PM »
Please visit SMF's release post from tonight:

https://www.simplemachines.org/community/index.php?topic=553855


Quote
Dear Members,

Simple Machines Forum has released a new patch to the 2.0.x line, bringing our latest release version to 2.0.14.

This patch adds both security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly. You can view the changelog for this release, per usual, on the downloads page.

The quick summary of changes is as follows:
  • Added PHP 7 support.
  • Ported image proxy support from SMF 2.1.
  • Also added HTTPS for avatars.
  • Accept email addresses with long TLDs.
  • See the changelog for more.

If you are running version 2.0.13, you can upgrade your forum to the latest version by using the package manager. As usual, you should see the upgrade notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the upgrade patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks > Fetch Simple Machines Files (check the "Run Now" checkbox and click the "Run Now" button)).

If you use older versions of SMF, you can upgrade directly to 2.0.14 from whichever version you are currently using by using the "full upgrade" archive from the downloads page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the full upgrade.

Please do not use this topic for support requests.
You will receive a much quicker and better response by posting in the 2.0.x Support Board or the Install and Upgrade Help board.


If you are having problems downloading the patch from the admin panel, you can download the patch package from the upgrade patches page and install it via the package manager, as you would any other mod package.

Please refer to the Online Manual for more details about:

Thank you for using SMF!

Regards,
Simple Machines Forum Team
Pages: [1] 2 3 ... 10