Potential Security Issue in 2.1.4 and earlier versions.

Home Forums Announcements Potential Security Issue in 2.1.4 and earlier versions.

This topic contains 7 replies, has 3 voices, and was last updated by  helpcenterlive 7 years, 3 months ago.

  • Author
    Posts
  • #190

    helpcenterlive
    Keymaster

    It appears that there maybe a security issue with certain administrative files on all recent versions of HCL.  We are aware of the issue, and are working to expedite a fix for these issues.  I should have at least a hotfix tonight, and a new version up in a few days with the security patch installed on the sourceforge page.This issue is detailed here and may cause the admin to be locked out, or for your HCL install to be hacked.  Until the hotfix is released (in the next few hours) I recommend putting an .htaccess in your admin folder such as this:

    Code:
    Order Deny, AllowDeny from allAllow from 000.000.000.000

    Change the 000.000.000.000 to your IP address.  If you need multiple address' then separate each address with a space.This is on necessary until the hotfix is released, again, this should be sometime this morning (Friday, August 17th)Remember, if you hear of ANY security related issue with HCL, Please, please, please let us know.  These types of issues can cause serious repercussions for others. 

  • #2294

    helpcenterlive
    Keymaster

    Here is the hotfix file, which I shall be posting on the portal page in a few minutes, simply extract the auth.php file from the archive and replace the hcl/class/auth.php on your webserver.NOTE:  This hotfix is untested at this time, and while it should cause no problems, there may be issues with it.Frankly the fix involved adding one line to the auth.php code, a simple exit statement appears to have been missing.  Please, if your using 2.1.2, 2.1.3, 2.1.3a, or 2.1.4, replace the auth.php with the one attached to this message.  Again, remember, if you spot even a suspected vulnerability, please at least PM me a message about it, or post on the forums here.  I'd rather chase a few wild geese then have even on vulnerability out in the wild. :) Edit: Doh, I forgot to add the file...

  • #2295

    helpcenterlive
    Keymaster

    As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.

  • #2296

    helpcenterlive
    Keymaster

    As a further note, I'll be releasing another version (2.1.5) this weekend or Monday, Because of the potential of this security fix, I'd rather bump another version number due to it.

    You should hurry up since Windows IIS is not able to read those fucking .htaccess files.. No really, take your time :)

  • #2297

    helpcenterlive
    Keymaster

    Hehehe, I was just working on the transcript garbling issue, I'll either get it today or not, either way I'm pushing 2.1.5 out the door since I don't like the current release having a security issue.

  • #2298

    victor
    Member

    great, so we must wait for 2.1.5 correction… do you have any temptative date of release it?thanks!  :)

  • #2299

    helpcenterlive
    Keymaster

    Should be this morning sometime.

  • #2300

    helpcenterlive
    Keymaster

    Ok, might be just a tad longer, the route to my datacenter is down, the ISP knows about it, now I just have to wait until it's back up.  This is where the SVN is stored and I've never had an issue like this before, so we just need to be patient.  I'm going to take the uncommited sources and work on the demo site here in the mean time.

You must be logged in to reply to this topic.