Application: WordPress CMS
Version: 2.1.2 or below
Vendor’s URL: http://wordpress.org/
Bug Type: Cross Site Scripting
Risk: Low

Solution:
- Update to version 2.0.10-RC2 or 2.1.3-RC2

Content Management, Cross Site Scripting

Application: PhpX
Version: 3.5.15 or below
Vendor’s URL: http://www.phpx.org
Bug Type: Cross Site Scripting and Sql Injections
Risk: High

Solution:
- Edit the source code to ensure that input is properly sanitized
- Waiting for the official patches that will be available at here

Content Management, Cross Site Scripting, SQL Injection

Exabytes EBiz Linux hosting plan comes with Fantastico package that includes many Content Management System (CMS) such as drupal, wordpress, phpnuke, postnuke and others.

It’s understandable that users would want to try out those CMSes and would install them once they have the chance. Installing is good, but, users are advised to uninstall those CMSes after testing it. Yes, we use the word “testing” here because the Content Management Systems found in Fantastico are merely for testing purposes and are not updated immediately when vulnerabilities are found. If you have forgotten to clean it up (in other words, uninstall) or unaware of this matter, it may jeopardize your web site and leads to harmful threats. To add to that, with many unused CMSes (or you can term them as “vulnerable applications”) installed in your site, it may deter the effectiveness of our Security Engineers in finding the root of the threats.

Therefore, we would like to notify all our loyal clients that you can actually download the latest and secure version of your favourite CMS at their official websites (To name a few, wordpress.org and drupal.org). But, do ensure that you have uninstalled those CMSes that you have previously tested from the Fantastico package. And, yeah, as simple as that, you will ensure that your site is a safer one now. Moreover, the latest versions with its patches and updates are free! All you need is to be proactive and that’s the best way to secure your site!

Cheers!

Tips

Application: vBulletin
Version: 3.6.5 or earlier
Vendor’s URL: http://www.vbulletin.com/
Bug Type: SQL Injection
Risk: Low

Solution:
- Edit the source code to ensure that input is properly sanitized.
- Waiting for official patch/update from vendor
- http://www.vbulletin.org/forum/portal.php

Content Management, SQL Injection

Application: PHProjekt
Version: 5.2 and earlier
Vendor’s URL: http://www.phprojekt.com/
Bug Type: Cross Site Attacks, Sql Injection
Risk: High

Solution:
- Update to the latest version - 5.2.1

Content Management, Cross Site Scripting, SQL Injection

Application: WordPress CMS
Version: 2.1.2 or earlier
Vendor’s URL: http://wordpress.org/
Bug Type: Cross Site Scripting
Risk: High

Solution:
- Edit the source code in general-template.php to ensure the input is sanitized
- http://trac.wordpress.org/changeset/5003

Content Management, Cross Site Scripting

Application: PHP-Nuke
Version: 8.0, 7.9 or below
Vendor’s URL: http://phpnuke.org/
Bug Type: Access Bypassing
Risk: High

Solution:
- Edit the source code to ensure that input is properly verified
- Set “magic_quotes_gpc” to On
- Waiting for official patch from vendor

Access Bypass, Content Management

Application: PHPEcho CMS
Version: 1.5
Vendor’s URL: http://sourceforge.net/projects/phpechocms/
Bug Type: SQL Injection
Risk: Medium

Solution:
- Update to version 1.6, it can be downloaded via Vendor’s URL

Content Management, SQL Injection

Application: Drupal Project issue tracking module
Version: 4.7.x-1.3 or below and 4.7.x-2.3 or below
Vendor’s URL: http://drupal.org/
Bug Type: Access Bypassing
Risk: Medium

Solution:
- Update to the latest version that you can find here -
- http://drupal.org/project/project_issue

Access Bypass, Content Management

Application: Drupal Nodefamily Module
Version: 5.x-1.0 but not 4.7 branch
Vendor’s URL: http://drupal.org/
Bug Type: Access Bypassing
Risk: Medium

Description: This vulnerability only affects to drupal installation with Nodefamily module.

Solution:
- Update Nodefamily module to latest version that you can find here:
- http://drupal.org/node/123126

Access Bypass, Content Management

Application: WordPress CMS
Version: 2.1.2 or below
Vendor’s URL: http://wordpress.org/
Bug Type: Cross Site Scripting
Risk: Low

Solution:
- Edit the source code(admin.php) to ensure that input is properly sanitised.
- Please keep your eyes close to vendor site for further update to fix the bug mentioned.

Content Management, Cross Site Scripting

Application: Snitz Forum 2000
Version: 3.4.06 or below
Vendors URL: http://forum.snitz.com/
Bug Type: Cross Site Scripting(XSS)
Risk: High

Solution:
- Edit the source code(pop_profile.asp) to ensure that input is properly sanitised
- Grant only trusted users access to the application
- Currently waiting for the bugs fix from respected vendor
- http://forum.snitz.com/forum/forum.asp?FORUM_ID=118

Content Management, Cross Site Scripting