[ SECURITY UPDATE ] - Please Read
Select messages from # through # Forum FAQ
[/[Print]\]

HeadShot Extreme -> News
#1: No icon [ SECURITY UPDATE ] - Please Read Author: [HSX]coRpSELocation: Back of your mind!!! PostPosted: Mon Apr 24, 2023 12:36 pm
    —
Expand


Before we start, some things to know first:


Okay, a few days ago, while working on a security update that I was thinking for the next release, I found a security vulnerability within the CMS that I felt needed immediate attention. Luckily, the update that I was testing and working on which lead me to the problem was also the fix. I told Lonestar of the issue and gave him step-by-step instructions on how to do it, and he was even surprised by it. I had passed off what I was working on and how it took me to the bug, and he took it from there and following a similar path of what I was doing, came up with the solution we are using ATM.

As I said above, I can not go into details on exactly what it is, but I do have some instructions for you guys on here to secure up your site.

  1. If you didn't log in when you came to my site here to read this, please log out.
  2. Log back into the site and that's it.


I know, we made it difficult to secure your self.
If you have any issues logging back in, feel free to contact me either on Lonestars site, Evo Xtremes site, or TS3, Discord, or email me at
Please login to see this email
Get registered or Log in


Also, another update with the fix we are testing is now you can log in using either your username, or, your email. No longer bound to just using your username.
#2: No icon Re: [ SECURITY UPDATE ] - Please Read Author: [HSX]coRpSELocation: Back of your mind!!! PostPosted: Mon Apr 24, 2023 3:01 pm
    —
Okay, a bit of an update. If you have accounts on our site here,
Please login to see this link
Get registered or Log in
, or
Please login to see this link
Get registered or Log in
, both of the sites have been updated with the fix and all you need to do is log out and log back in.

Also, I contacted RN administration about this yesterday, and I have informed TheGhost over at Titanium about this security exploit, and it is up to them to take the necessary steps for their systems. I have told them what we did to address the situation, and it's up to them to follow through with a fix.Last edited by coRpSE on Fri Jun 16, 2023 10:30 am; edited 1 time in total
#3: No icon Re: [ SECURITY UPDATE ] - Please Read Author: EmeraldDragonLocation: Vancouver, WA PostPosted: Tue May 02, 2023 11:20 am
    —
— coRpSE wrote
It may be spread to the basic PHPNuke


All (if not) most of the CMS derived from PHPNuke, that currently have this issue include Dragonfly CMS. I am pretty sure it is the code base for PHPNuke that is causing the problem with this vulnerability. That's just my thought.
#4: No icon Re: [ SECURITY UPDATE ] - Please Read Author: [HSX]coRpSELocation: Back of your mind!!! PostPosted: Tue May 02, 2023 12:05 pm
    —
— EmeraldDragon wrote
— coRpSE wrote
It may be spread to the basic PHPNuke


All (if not) most of the CMS derived from PHPNuke, that currently have this issue include Dragonfly CMS. I am pretty sure it is the code base for PHPNuke that is causing the problem with this vulnerability. That's just my thought.


I did check the most recent version of PhpNuke that I could find and yes, this exploit is there.
Without going into too many details on the exploit I found, this vulnerability would require someone to do a cookie hijacking against you, and once they had your cookie, using a little bit of work, they "could" get your password using a dictionary/brute force attack. There is a chance they wouldn't get it, but, the steps I gave to Lonestar to do it, was enough for us to put this out there to warn people, especially these other systems that are using Nuke as their base, so they can get a fix out there for their community.

Since this requires someone to do a cookie hijacking, that is why in the Q&A I did, I said it was "very serious" and "not very". Very being they can get in, and get your password, not very, they would need to first do a cookie hijacking. Well, looks like our fix works. The other systems, they have been notified, but it will be up to them to fix it.
#5: No icon Re: [ SECURITY UPDATE ] - Please Read Author: PullMyFinger PostPosted: Wed May 17, 2023 7:19 pm
    —
Any idea when you will be releasing the fix? Are you releasing it seperate or in the next release only?
#6: No icon Re: [ SECURITY UPDATE ] - Please Read Author: [HSX]coRpSELocation: Back of your mind!!! PostPosted: Wed May 17, 2023 7:26 pm
    —
It will not be a separate thing. We are going to release it with the next release.
As for when, well, once Lonestar finishes up with some of the changes he wants to be done, then we need to do some testing before we make it public. If we have to learn anything from the last release, we can't skip the testing, and we need more than just the two of us.
#7: No icon Re: [ SECURITY UPDATE ] - Please Read Author: The-UnXpLaiNeD PostPosted: Sun Jun 11, 2023 9:33 am
    —
Any chance you can release this patch separate for those of us who don't want to update to the next release..?
#8: No icon Re: [ SECURITY UPDATE ] - Please Read Author: [HSX]coRpSELocation: Back of your mind!!! PostPosted: Sun Jun 11, 2023 12:23 pm
    —
The-UnXpLaiNeD, I don't know if we will release it separate ATM, for we are still making sure we got all areas done, but, when it's done, who knows.
If you like to have this sooner and help us test it, feel free to shoot me a PM, and we can see about getting you set up.
HeadShot Extreme -> News


output generated using printer-friendly topic mod. All times are GMT - 7 Hours

Page 1 of 1