Critical update for EasySocial! Update to 1.4.7 now!

  Mark EasySocial

Critical update for EasySocial! Update to 1.4.7 now!

I hope most of you are enjoying your weekends! During the weekend, one of our customer submitted a list of log files pertaining several files which was uploaded to the server and they seem to be sending spams with these files. I was very curious over what they have done and started deciphering their codes and started my own code forensics.


After spending almost several hours of code forensics, I have concluded that our custom fields weren't performing the correct file checks. It does perform the validation correctly but the file still get's uploaded and this is pretty risky if malicious hackers were able to find the hole.

I just spent the past couple of hours patching things up and making sure this doesn't occur again. Then, released an emergency build for EasySocial 1.4.7. This file injection may affect any versions prior to 1.4.7. Therefore, I would urge everyone to please update to 1.4.7 as quickly as possible.


P/S: I will not be disclosing the codes which I have found for now until more users patch their site. I would like to thank Fred for assisting us with these findings!

 

Download EasySocial 1.4.7 Now!

 

User's without active subscription

For users who no longer have an active subscription, you may download the patch files below. The patch files are relative to your Joomla root and you need to update them accordingly. This is only available for users on 1.4.x

Download 1.4.7 Patch


  • Thanks Mark for your diligence to protect the code and update it right away. :)

  • You are most welcome Randall :) Remember to update your site's immediately!

  • Can you please disclose what fields are affected? Avatar and Cover photo upload as well ?

  • Hey David,

    Yes, more details would be released soon as right now my priority is to get everyone updated to 1.4.7 first.

  • Thanks Mark for working hard on the weekend to keep our sites safe from spammers. This is deeply appreciated from us. I take security seriously, so I'm very pleased that Stackideas does too. :D

  • will

    In reply to: Josh Lewis about 7 months ago Reply

    My thoughts exactly..

  • Thanks Josh!

  • Guest - Mike

    about 8 months ago Reply

    Hi,
    could you release the files which makes it un-secure?
    My subscription expired in December :((

  • The reason that we don't release the files publicly yet is to avoid hackers exploiting this.

  • I agree with "Guest - Mike" that you are saying there was a critical flaw in your software and you urge everyone to upgrade, so it seems only fair and responsible you should urgently make that possible for every user of your product that is affected, irrespective of if they have a valid subscription or not.

  • Mark

    In reply to: Andrew Heritage about 8 months ago Reply

    We will eventually release these files but it will not be now :) We are placing our priority on users with a valid subscription right now and to ensure that all their sites are up to date before we disclose anything.

  • Andrew Heritage

    In reply to: Mark about 8 months ago Reply

    Although I understand as you are a small team and so have to prioritise, if this bug means that anyone that purchased your product in good faith is now at risk, it would feel like ensuring everyone gets updated is important. You have just released a fix for all those with a valid subscription, so little more to do there!

    One could almost start to wonder if you are just taking this as a "great marketing opportunity" to sell lots of subscriptions ;)

    Would it not be possible to issue some form of patch system?

    If that's not possible, just give everyone a free upgrade and then extend existing users subscriptions by 6 months. Having everyone on the same version will make people happy and more likely to stay with you, show you take security seriously, plus it will make your support role actually easier!

  • Mark

    In reply to: Andrew Heritage about 7 months ago Reply

    Thanks for the input on this Andrew! We don't have a "patch" system to generate changesets but I will do this manually as soon as I confirm that more paid users have already updated to 1.4.7.

    The only reason that we are reluctant to release these patch files immediately is because we want to ensure our user's with valid subscription to update to 1.4.7 first.

    There is no marketing gimmick or trick is involved. Neither am I forcing anyone to renew! Renewals are your own choice. If we do intend to use this as a marketing gimmick, wouldn't then this post have a coupon code?

  • Andrew Heritage

    In reply to: Mark about 7 months ago

    I understand your concerns around, let's be honest, the major design bug, out of public realm, but if someone wants to I'm sure it won't be hard to check a system before and after updating to this new version to find what files have changed (and I'm sure anyone wanting to exploit it would also have ways to be able to get the update.)

    Saying you only want people with a valid subscription to be able to update first suggests you don't care that everyone who purchased this product has been sold something that sounds like it makes their website insecure and a security risk. If this really affects every version then you have a duty to fix the faulty product that people purchased in good faith.

    Otherwise it's like selling a toaster, then finding due to a design flaw there was a small chance it could electrocute people, but saying you would only fix the ones still under warranty!

    Comment last edited on about 7 months ago by Andrew Heritage
  • Mark

    In reply to: Mark about 7 months ago

    Well, if you ask me. People who still have an active subscription should be placed as priority and have to be treated first before the rest as they are the ones that are funding the entire project.

    We are not a huge corporation and we only have a small team with a small budget. Without their support, we wouldn't even be able to continue finding such remote holes :) What good is a project if there is nobody working on it?

    This does not mean that people who originally purchased EasySocial are being forgotten and this is the reason why we will release the patch files shortly.

  • Josh Lewis

    In reply to: Mark about 7 months ago

    As much as I like free stuff, I'm going to have to side with Mark on this. If a free patch was released right away to anyone, active paying customers would be at risk. As of right now hardly anyone knows what exactly the threats are which is a good thing due to it making it difficult for exploiters. If a free patch was released later, both the customer and observant past customers would be secured.

    Mark and the staff of Stackideas very much value their reputation with their customers (and they certainly have earned it). They wouldn't want to possibly lose supporters of the projects based on security incidents. In a round about way this tactic actually supports the project itself in a positive way. In other words, losing customers hurts the project. While the toaster story sounds fun, it's not quite accurate. Human lives are not at stake with this issue. The fact that Mark wants to help both groups of people (current and past customers) in terms of security is pretty awesome. :)

  • When I try to update with the downloaded fiie 3 times I get an errormessage - 3 days ago I updetaed to vers. 1.4.6 correctly - message: Error 500 - Internal server error

    Comment last edited on about 8 months ago by Peter Lex
  • Mark

    In reply to: Peter Lex about 8 months ago Reply

    Please contact our support team at http://stackideas.com/forums should you need help with your upgrade :)

  • Hi Mark, thanks for the update.

    we have a little little probleme with the Profile Default Display, after this update the timeline is shown instead about even we change about or time line in options ! can you please try on your dev website ?

  • Mark

    In reply to: jan! about 7 months ago Reply

    Please submit a new ticket on our forums Jan :) I will look into this.

  • Guest - Mike

    about 8 months ago Reply

    Thanks Andrew Heritage!
    Mark, you should really allow previous customers to upgrade the files if this is such an issue... not to all of them, but at least for those which had subscription expired in last 6 months. ... you may simply "open window" for a week for us to upgrade the EasySocial.

  • Mark

    In reply to: Guest - Mike about 7 months ago Reply

    I would disagree with extending subscriptions because subscriptions are not only access to our downloads, but our support as well.

    If you read the post, it is stated that the files are not released publicly yet due to security concerns. We will release the patch files when we see more upgrades of 1.4.7 from users

  • Mark, thanks for your continuous work!

  • You are most welcome Juan :)

  • nope

  • Thanks Mark! Upgraded to the new release without any issue. You and your team rock. :D

  • Sylvie

    In reply to: Binky about 7 months ago Reply

    Thanks Binky :)

  • Guest - Inverter

    about 7 months ago Reply

    There are benefits of being a registered paid subscriber ;)

    Thanks Mark

  • I upgraded. Keep up the good work. :)

  • Sylvie

    In reply to: Paul Murray about 7 months ago Reply

    Awesome, thanks Paul! :)

  • Guest - Mike

    about 7 months ago Reply

    YEP! It's a toaster without warranty :(

  • Mark

    In reply to: Guest - Mike about 7 months ago Reply

    Read the post above, the patch files has been added :)

  • jan!

    In reply to: Mark about 7 months ago Reply

    Hats off to you Mark and all the Si team for your professionalism :)

  • Mark

    In reply to: jan! about 7 months ago Reply

    Thank you Jan :)

  • How to install the the patch files ?
    Joomla gives error

    Warning
    JInstaller: :Install: Can't find XML setup file.
    Error
    Unable to find install package

  • Josh Lewis

    In reply to: Mariosgr about 7 months ago Reply

    I think you have to manually replace each file in the respective folders. For example the admin uploader is located in: administrator/components/com_easysocial/includes/uploader/ and the file name is uploader.php
    In other words there is no xml file to define it as an installation. The patch above is a set of files that we can manually replace them to fix the security issue. Unzip the folder first of course.

    Same goes for the rest of the files needed. It's a little work, but has a great pay off. :) Hats off to the staff of Stackideas. :D

    Comment last edited on about 7 months ago by Josh Lewis
  • thank you Josh

  • Josh Lewis

    In reply to: Mariosgr about 7 months ago Reply

    Your welcome. :) Glad I could be of assistance.

  • Will there be patch files for 1.3.28 too? I did disable Easysocial now completely and don't know if I can must quit, can wait or have to renew and upgrade.....

  • Sylvie

    In reply to: Frank ter Braak about 7 months ago Reply

    Thanks for sending a ticket to our helpdesk, do update us regarding your site :)

  • If every easysocial upgrade would come in the form of patch as it is provided now - it would make my life so much easier... :)

  • Josh Lewis

    In reply to: Tomas about 7 months ago Reply

    The auto update feature of ES is a lot easier to manage. ;)

  • Well, for most users - yes. For me - it is very important to see which files i am upgrading. And auto update feature hides all updates from me. I am afraid to use it.

  • The changelog actually lists down which files are updated :)

  • I really like the auto update feature.
    Had some issues with it at the beginning but this was possible related to Akeeba back up.
    Has worked for me every time for going on a year now.
    I even read the change logs these days. :p

    Comment last edited on about 7 months ago by Paul Murray
  • Shiyi

    In reply to: Paul Murray about 7 months ago Reply

    @Paul thanks for your support. :)

  • Yes, autoupdate option is a very nice thing to have. Just saying, if there is a possibility to have update patches together with autoupdate option - i would love it :) Didn't mean to say that autoupdate is a bad thing - Easysocial is UberCool software for me! :)

  • Thanks for sharing this Tomas, we'll see what we can do about this in the future :)

  • Hello, a patch for version 1.3.x is not expected?

  • Hey Salvatore,

    I'm really sorry. Unfortunately, the patch was made available for users on 1.4.x :(

  • Guest - John_Dave

    about 7 months ago Reply

    Hi mark
    Is any Chance of adding Conditional LOGIC for Profile Fields inside single profile type in future releases of Easysocial ?

    i.e Instead of creating different profile TYPEs. Profile custom fields adjust (APPEAR/DISSAPPEAR ) according to user previous Inputs, inside single Profile Type. It will help the admin gather information from users more intelligently and alos Different profile Types sometime cumbersome for subscription based projects

    Waiting for Response :)

  • Sylvie

    In reply to: Guest - John_Dave about 7 months ago Reply

    Hey John,

    Would you mind sending your inquires to https://crm.stackideas.com please? :)

  • Reminds me of a thread I started a while back: http://stackideas.com/forums/using-a-boolean-field-to-decide-if-something-should-display

    Using the same logic of the thread, you could make certain things appear/disappear based on selection. The main difficulty I foresee is that it would be difficult to put in PHP into a custom field due to a constraint made by EasySocial with allowing that type of code. You might be able to add it in a HTML field on the MySQL end.

0