Charlottezweb

Recent Posts

Pages: [1] 2 3 ... 10
1
Script Chat / Joomla Security Notice :: September 20, 2017
« Last post by Jason on September 22, 2017, 04:25:11 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html

Quote
[20170901] - Core - Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Low
- Versions: 3.7.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-August-4
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14595
Description
A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state.
Affected Installs
Joomla! CMS versions 3.7.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Michal Prochaczek
 

[20170902] - Core - LDAP Information Disclosure
Posted: 19 Sep 2017 07:00 AM PDT
- Project: Joomla!
- SubProject: CMS
- Severity: Medium
- Versions: 1.5.0 through 3.7.5
- Exploit type: Information Disclosure
- Reported Date: 2017-July-27
- Fixed Date: 2017-September-19
- CVE Number: CVE-2017-14596
Description
Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.7.5
Solution
Upgrade to version 3.8.0
Contact
The JSST at the Joomla! Security Centre.
Reported By: Dr. Johannes Dahse, RIPS Technologies GmbH
2
The following post is being sent to customers tonight who use our advanced spam filtering add-on service provided by PostLayer:

Quote
Greetings from Charlottezweb!
 
Youíre receiving this email as a customer who is using the Postlayer spam filtering service that we configured for your domain.
 
By now, youíve likely received some emails from them around the conversion of their service to FuseMail, supported by Excel Micro.  
 
If not, hereís a quick summary:  PostLayer (the service you were/are using through Charlottezweb), was acquired a month or so back by a service called FuseMail.  FuseMail  (in North America) is managed by a company called Excel Micro.  You may have received emails directly from Excel Micro or FuseMail.  If not, Iíll give you a summary of whatís going on.
 
Essentially, PostLayer was aquired and FuseMail has been in the process of migrating PostLayer customers to their platform.
 
I ran into a few issues during conversion but I now have access to manage things on the new platform.  I will share more details in the next week or so as I learn more.
 
For now, you may notice that youíre starting to receive quarantine notifications from the address:  spamreport@mailanyone.net
 
This is a legitimate email from FuseMail that youíll want to review for any emails that you want to release.  This is their version of the quarantine alerts you receive from PostLayer.   Iím hoping I can customize these emails a bit but for now, please make sure your mail client is set to accept them.
 
At some point in the near future, the PostLayer emails will cease.
 
A few side comments:  
 
Iíve heard good things on FuseMail but need to do research.  I would *truly* appreciate your feedback in the coming days/weeks on what your experience is with spam.  In other words, does the new solution work as well (if not better) than the old one?  Is it worse?  Any concerns?  EtcÖ
 
Iím a reseller with their offering as of now and they also offer Proofpoint (which is what I have setup on my @charlottezweb.com email).  Itís more expensive than PostLayer/FuseMail but works incredibly for me.  
 
I will continue to explore this platform to decide if this is our forward-model.
 
Your questions and feedback are most welcomed!

Cheers,
 Jason
3
Script Chat / Joomla Security Notice :: July 5, 2017
« Last post by Jason on July 07, 2017, 06:21:42 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Quote
Joomla! Security News

________________________________________
ē    [20170701] - Core - Information Disclosure
ē    [20170702] - Core - XSS Vulnerability
ē    [20170703] - Core - XSS Vulnerability
[20170701] - Core - Information Disclosure
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: High
-  Versions: 1.7.3 - 3.7.2
-  Exploit type: Information Disclosure
-  Reported Date: 2016-Feb-05
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-9933
Description
Improper cache invalidation leads to disclosure of form contents.
Affected Installs
Joomla! CMS versions 1.7.3-3.7.2
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Jeff Channell
 
 

[20170702] - Core - XSS Vulnerability
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: High
-  Versions: 1.7.3 - 3.7.2
-  Exploit type: XSS
-  Reported Date: 2017-June-04
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-9934
Description
Missing CSRF token checks and improper input validation lead to an XSS vulnerability.
Affected Installs
Joomla! CMS versions 1.7.3-3.7.2
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Envo
 
 

[20170703] - Core - XSS Vulnerability
Posted: 04 Jul 2017 05:00 AM PDT
-  Project: Joomla!
-  SubProject: CMS
-  Severity: Low
-  Versions: 1.5.0 through 3.7.2
-  Exploit type: XSS
-  Reported Date: 2017-June-22
-  Fixed Date: 2017-July-04
-  CVE Number: CVE-2017-7985
Description
Inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.6.5
Solution
Upgrade to version 3.7.3
Contact
The JSST at the Joomla! Security Centre.
Reported By: Fortinet's FortiGuard Labs
4
Server Updates & Outages / Re: Imunify360 added to all servers - June 2017
« Last post by Jason on June 12, 2017, 06:39:52 PM »
Greetings,

I wanted to clarify a few points as I've had customers reach out with questions today.  :)

We run ModSecurity on all of our servers and have had that in place for at least 1-2 years.  

Imunify360 uses ModSecurity for a *part* of what it does but it works on top of it.  For example, if ModSecurity blocks a function on your site that it thinks is suspicious, Imunify360 may display a warning message and/or an option to unblock yourself.  This isn't Imunify360 blocking you, it's ModSecurity.

That being said, I think Imunify360 (or perhaps ModSec) is driving a more agressive set of security rules.  I've had to whitelist a lot of rules in the past few days that weren't an issue previously.

If you experience any errors in your website that you didn't have before (for example, updating your site via WordPress), please reach out to me.

I appreciate your patience as we try to optimize this solution.  I know it's frustrating when things don't work as expected but I'm hopeful that the security provided by these solutions will outweigh the issues we may see upfront.

Regards,
Jason
5
News & Announcements / Charlottezweb deploys Imunify360
« Last post by Jason on June 11, 2017, 04:55:57 PM »
Please visit this thread to learn more: https://www.charlottezweb.com/forums/index.php?topic=2121.0

6
Server Updates & Outages / Imunify360 added to all servers - June 2017
« Last post by Jason on June 11, 2017, 04:55:02 PM »
June 2017:  Charlottezweb announces Imunify360 deployment.

I'm pleased to announce that Charlottezweb has now deployed Imunify360 to all our shared servers.

I will create a new page on our site as part of our website relaunch in the next 1-2 months with full details but if you're interested now, please visit their site to read full details:

http://imunify360.com/

Cheers,
Jason
7
Script Chat / Joomla Security Notice :: May 18, 2017
« Last post by Jason on May 18, 2017, 08:26:45 PM »
Joomla has emailed a security announcement.  If you use Joomla for your site, please check your version and upgrade accordingly.

The announcement is available on their site here:

https://developer.joomla.org/security-centre.html


Joomla! Security News


[20170501] - Core - SQL Injection
Posted: 17 May 2017 07:00 AM PDT
Project: Joomla!
SubProject: CMS
Severity: High
Versions: 3.7.0
Exploit type: SQL Injection
Reported Date: 2017-May-11
Fixed Date: 2017-May-17
CVE Number: CVE-2017-8917

Description
Inadequate filtering of request data leads to a SQL Injection vulnerability.

Affected Installs
Joomla! CMS versions 3.7.0

Solution
Upgrade to version 3.7.1

Contact
The JSST at the Joomla! Security Centre.
8
Script Chat / SMF 2.0.14 Released :: May 14, 2017
« Last post by Jason on May 14, 2017, 08:13:20 PM »
Please visit SMF's release post from tonight:

https://www.simplemachines.org/community/index.php?topic=553855


Quote
Dear Members,

Simple Machines Forum has released a new patch to the 2.0.x line, bringing our latest release version to 2.0.14.

This patch adds both security and general maintenance fixes to your forum, so it is imperative that you install this patch quickly. You can view the changelog for this release, per usual, on the downloads page.

The quick summary of changes is as follows:
  • Added PHP 7 support.
  • Ported image proxy support from SMF 2.1.
  • Also added HTTPS for avatars.
  • Accept email addresses with long TLDs.
  • See the changelog for more.

If you are running version 2.0.13, you can upgrade your forum to the latest version by using the package manager. As usual, you should see the upgrade notification in the admin panel notifications and in the package manager, which will allow you to download and install the patch seamlessly.  If you do not see the notification about the upgrade patch, please run the scheduled task "Fetch Simple Machines files" from the Scheduled Tasks page (Admin > Maintenance > Scheduled Tasks > Fetch Simple Machines Files (check the "Run Now" checkbox and click the "Run Now" button)).

If you use older versions of SMF, you can upgrade directly to 2.0.14 from whichever version you are currently using by using the "full upgrade" archive from the downloads page. Be aware that using this upgrade method will require you to reinstall any customizations that you have added to your forum, so if you are running a version of the 2.0.x series, it is recommended that you apply the successive patches instead of using the full upgrade.

Please do not use this topic for support requests.
You will receive a much quicker and better response by posting in the 2.0.x Support Board or the Install and Upgrade Help board.


If you are having problems downloading the patch from the admin panel, you can download the patch package from the upgrade patches page and install it via the package manager, as you would any other mod package.

Please refer to the Online Manual for more details about:

Thank you for using SMF!

Regards,
Simple Machines Forum Team
9
I'd like to add a few updates after playing around with this a bit today.

Several customers (including myself) have purchased/installed new WordFence Premium licenses today which is very exciting.  I'll keep adding to this post but here are a few initial thoughts:

1. The process itself is super simple.  If you're already using the free version of WordFence (which, again, I recommend all WordPress users should do at minimum), it's a matter of going to the WordFence Options page and replacing the "API Key" with the new premium key.  You save, refresh the page and then you're good to go with newly-activated Premium features.

2. I have added an item to our shopping cart (click here for a direct link) if you'd like to purchase this.  If you'd like to order in bulk or have questions, please contact me.  

3. As mentioned above, the Premium option enables "Cell Phone Sign In."  I'd like to expand on this for purposes of understanding.  What this feature does is enable you to require the addition of a single-use code sent to your phone on top of your password in order to login to your WordPress Admin area. This is something I am exploring for the Client Area of Charlottezweb.com as well as an option you can enable.  This means that even if someone had your password due to some sort of virus, hack, or compromise, they wouldn't be able to login as you without physically having your phone where the codes get continuously updated every minute.  

I enabled this on one of my sites today via WordFence and it's great.  To be transparent however, this means that you'd have to have your cell phone with you and you'd need to install Google Authenticator (or a similar app) on your phone.  I already use this for logging into several sites/systems so this was a no-brainer for me but if you've never done this before, it may be something you want to think about.  Ultimately, it adds another layer of protection for you that's going to help keep your site even more secured if you opt to go that route.  All of this being said, there are free plugins from what I'm seeing that can integrate this into WordPress but this is one option that WordFence Premium offers built-in without needing to configure anything.  It also offers the ability to set it up on a user-by-user basis if you so choose.

More details to come as I keep exploring the Premium options.  So far they look great.

Regards,
Jason
10
News & Announcements / WordFence Premium licenses available at 35% Off
« Last post by Jason on May 03, 2017, 09:37:47 PM »
Charlottezweb is now offering WordFence Premium licenses. 

Please visit this post for full details.

https://www.charlottezweb.com/forums/index.php?topic=2117.0
Pages: [1] 2 3 ... 10