Critical update for EasySocial! Update to 1.4.7 now!

Critical update for EasySocial! Update to 1.4.7 now!

I hope most of you are enjoying your weekends! During the weekend, one of our customer submitted a list of log files pertaining several files which was uploaded to the server and they seem to be sending spams with these files. I was very curious over what they have done and started deciphering their codes and started my own code forensics.



After spending almost several hours of code forensics, I have concluded that our custom fields weren't performing the correct file checks. It does perform the validation correctly but the file still get's uploaded and this is pretty risky if malicious hackers were able to find the hole.

I just spent the past couple of hours patching things up and making sure this doesn't occur again. Then, released an emergency build for EasySocial 1.4.7. This file injection may affect any versions prior to 1.4.7. Therefore, I would urge everyone to please update to 1.4.7 as quickly as possible.


P/S: I will not be disclosing the codes which I have found for now until more users patch their site. I would like to thank Fred for assisting us with these findings!

 

Download EasySocial 1.4.7 Now!

 

User's without active subscription

For users who no longer have an active subscription, you may download the patch files below. The patch files are relative to your Joomla root and you need to update them accordingly. This is only available for users on 1.4.x

Download 1.4.7 Patch

 

Comments (53)

Thanks Mark for your diligence to protect the code and update it right away.

  Attachments
Your account does not have privileges to view attachments in the comment
 

You are most welcome Randall Remember to update your site's immediately!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Can you please disclose what fields are affected? Avatar and Cover photo upload as well ?

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hey David,

Yes, more details would be released soon as right now my priority is to get everyone updated to 1.4.7 first.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks Mark for working hard on the weekend to keep our sites safe from spammers. This is deeply appreciated from us. I take security seriously, so I'm very pleased that Stackideas does too.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Josh Lewis

My thoughts exactly..

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks Josh!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hi,
could you release the files which makes it un-secure?
My subscription expired in December (

  Attachments
Your account does not have privileges to view attachments in the comment
 

The reason that we don't release the files publicly yet is to avoid hackers exploiting this.

  Attachments
Your account does not have privileges to view attachments in the comment
 

I agree with "Guest - Mike" that you are saying there was a critical flaw in your software and you urge everyone to upgrade, so it seems only fair and responsible you should urgently make that possible for every user of your product that is affected, irrespective of if they have a valid subscription or not.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Andrew Heritage

We will eventually release these files but it will not be now We are placing our priority on users with a valid subscription right now and to ensure that all their sites are up to date before we disclose anything.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

Although I understand as you are a small team and so have to prioritise, if this bug means that anyone that purchased your product in good faith is now at risk, it would feel like ensuring everyone gets updated is important. You have just released a fix for all those with a valid subscription, so little more to do there!

One could almost start to wonder if you are just taking this as a "great marketing opportunity" to sell lots of subscriptions

Would it not be possible to issue some form...

Although I understand as you are a small team and so have to prioritise, if this bug means that anyone that purchased your product in good faith is now at risk, it would feel like ensuring everyone gets updated is important. You have just released a fix for all those with a valid subscription, so little more to do there!

One could almost start to wonder if you are just taking this as a "great marketing opportunity" to sell lots of subscriptions

Would it not be possible to issue some form of patch system?

If that's not possible, just give everyone a free upgrade and then extend existing users subscriptions by 6 months. Having everyone on the same version will make people happy and more likely to stay with you, show you take security seriously, plus it will make your support role actually easier!

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Andrew Heritage

Thanks for the input on this Andrew! We don't have a "patch" system to generate changesets but I will do this manually as soon as I confirm that more paid users have already updated to 1.4.7.

The only reason that we are reluctant to release these patch files immediately is because we want to ensure our user's with valid subscription to update to 1.4.7 first.

There is no marketing gimmick or trick is involved. Neither am I forcing anyone to renew! Renewals are your own choice. If we do...

Thanks for the input on this Andrew! We don't have a "patch" system to generate changesets but I will do this manually as soon as I confirm that more paid users have already updated to 1.4.7.

The only reason that we are reluctant to release these patch files immediately is because we want to ensure our user's with valid subscription to update to 1.4.7 first.

There is no marketing gimmick or trick is involved. Neither am I forcing anyone to renew! Renewals are your own choice. If we do intend to use this as a marketing gimmick, wouldn't then this post have a coupon code?

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

I understand your concerns around, let's be honest, the major design bug, out of public realm, but if someone wants to I'm sure it won't be hard to check a system before and after updating to this new version to find what files have changed (and I'm sure anyone wanting to exploit it would also have ways to be able to get the update.)

Saying you only want people with a valid subscription to be able to update first suggests you don't care that everyone who purchased this product has been...

I understand your concerns around, let's be honest, the major design bug, out of public realm, but if someone wants to I'm sure it won't be hard to check a system before and after updating to this new version to find what files have changed (and I'm sure anyone wanting to exploit it would also have ways to be able to get the update.)

Saying you only want people with a valid subscription to be able to update first suggests you don't care that everyone who purchased this product has been sold something that sounds like it makes their website insecure and a security risk. If this really affects every version then you have a duty to fix the faulty product that people purchased in good faith.

Otherwise it's like selling a toaster, then finding due to a design flaw there was a small chance it could electrocute people, but saying you would only fix the ones still under warranty!

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 1 year ago by Andrew Heritage
  1.    Mark

Well, if you ask me. People who still have an active subscription should be placed as priority and have to be treated first before the rest as they are the ones that are funding the entire project.

We are not a huge corporation and we only have a small team with a small budget. Without their support, we wouldn't even be able to continue finding such remote holes What good is a project if there is nobody working on it?

This does not mean that people who originally purchased EasySocial...

Well, if you ask me. People who still have an active subscription should be placed as priority and have to be treated first before the rest as they are the ones that are funding the entire project.

We are not a huge corporation and we only have a small team with a small budget. Without their support, we wouldn't even be able to continue finding such remote holes What good is a project if there is nobody working on it?

This does not mean that people who originally purchased EasySocial are being forgotten and this is the reason why we will release the patch files shortly.

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

As much as I like free stuff, I'm going to have to side with Mark on this. If a free patch was released right away to anyone, active paying customers would be at risk. As of right now hardly anyone knows what exactly the threats are which is a good thing due to it making it difficult for exploiters. If a free patch was released later, both the customer and observant past customers would be secured.

Mark and the staff of Stackideas very much value their reputation with their customers (and...

As much as I like free stuff, I'm going to have to side with Mark on this. If a free patch was released right away to anyone, active paying customers would be at risk. As of right now hardly anyone knows what exactly the threats are which is a good thing due to it making it difficult for exploiters. If a free patch was released later, both the customer and observant past customers would be secured.

Mark and the staff of Stackideas very much value their reputation with their customers (and they certainly have earned it). They wouldn't want to possibly lose supporters of the projects based on security incidents. In a round about way this tactic actually supports the project itself in a positive way. In other words, losing customers hurts the project. While the toaster story sounds fun, it's not quite accurate. Human lives are not at stake with this issue. The fact that Mark wants to help both groups of people (current and past customers) in terms of security is pretty awesome.

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
 

When I try to update with the downloaded fiie 3 times I get an errormessage - 3 days ago I updetaed to vers. 1.4.6 correctly - message: Error 500 - Internal server error

  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 1 year ago by Peter Lex
  1.    Peter Lex

Please contact our support team at http://stackideas.com/forums should you need help with your upgrade

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hi Mark, thanks for the update.

we have a little little probleme with the Profile Default Display, after this update the timeline is shown instead about even we change about or time line in options ! can you please try on your dev website ?

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    HMED

Please submit a new ticket on our forums Jan I will look into this.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks Andrew Heritage!
Mark, you should really allow previous customers to upgrade the files if this is such an issue... not to all of them, but at least for those which had subscription expired in last 6 months. ... you may simply "open window" for a week for us to upgrade the EasySocial.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mike

I would disagree with extending subscriptions because subscriptions are not only access to our downloads, but our support as well.

If you read the post, it is stated that the files are not released publicly yet due to security concerns. We will release the patch files when we see more upgrades of 1.4.7 from users

  Attachments
Your account does not have privileges to view attachments in the comment
 

Mark, thanks for your continuous work!

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Juan Wayri Ccahuana Giraud

You are most welcome Juan

  Attachments
Your account does not have privileges to view attachments in the comment
 

nope

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks Mark! Upgraded to the new release without any issue. You and your team rock.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Binky

Thanks Binky

  Attachments
Your account does not have privileges to view attachments in the comment
 

There are benefits of being a registered paid subscriber

Thanks Mark

  Attachments
Your account does not have privileges to view attachments in the comment
 

I upgraded. Keep up the good work.

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Paul Murray

Awesome, thanks Paul!

  Attachments
Your account does not have privileges to view attachments in the comment
 

YEP! It's a toaster without warranty

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mike

Read the post above, the patch files has been added

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mark

Hats off to you Mark and all the Si team for your professionalism

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    HMED

Thank you Jan

  Attachments
Your account does not have privileges to view attachments in the comment
 

How to install the the patch files ?
Joomla gives error

Warning
JInstaller: :Install: Can't find XML setup file.
Error
Unable to find install package

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mariosgr

I think you have to manually replace each file in the respective folders. For example the admin uploader is located in: administrator/components/com_easysocial/includes/uploader/ and the file name is uploader.php
In other words there is no xml file to define it as an installation. The patch above is a set of files that we can manually replace them to fix the security issue. Unzip the folder first of course.

Same goes for the rest of the files needed. It's a little work, but has a great pay...

I think you have to manually replace each file in the respective folders. For example the admin uploader is located in: administrator/components/com_easysocial/includes/uploader/ and the file name is uploader.php
In other words there is no xml file to define it as an installation. The patch above is a set of files that we can manually replace them to fix the security issue. Unzip the folder first of course.

Same goes for the rest of the files needed. It's a little work, but has a great pay off. Hats off to the staff of Stackideas.

Read More
  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 1 year ago by Josh Lewis

thank you Josh

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Mariosgr

Your welcome. Glad I could be of assistance.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Will there be patch files for 1.3.28 too? I did disable Easysocial now completely and don't know if I can must quit, can wait or have to renew and upgrade.....

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Frank ter Braak

Thanks for sending a ticket to our helpdesk, do update us regarding your site

  Attachments
Your account does not have privileges to view attachments in the comment
 

If every easysocial upgrade would come in the form of patch as it is provided now - it would make my life so much easier...

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    Tomas

The auto update feature of ES is a lot easier to manage.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Well, for most users - yes. For me - it is very important to see which files i am upgrading. And auto update feature hides all updates from me. I am afraid to use it.

  Attachments
Your account does not have privileges to view attachments in the comment
 

The changelog actually lists down which files are updated

  Attachments
Your account does not have privileges to view attachments in the comment
 

I really like the auto update feature.
Had some issues with it at the beginning but this was possible related to Akeeba back up.
Has worked for me every time for going on a year now.
I even read the change logs these days.

  Attachments
Your account does not have privileges to view attachments in the comment
  Comment was last edited about 1 year ago by Paul Murray
  1.    Paul Murray

@Paul thanks for your support.

  Attachments
Your account does not have privileges to view attachments in the comment
 

Yes, autoupdate option is a very nice thing to have. Just saying, if there is a possibility to have update patches together with autoupdate option - i would love it Didn't mean to say that autoupdate is a bad thing - Easysocial is UberCool software for me!

  Attachments
Your account does not have privileges to view attachments in the comment
 

Thanks for sharing this Tomas, we'll see what we can do about this in the future

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hello, a patch for version 1.3.x is not expected?

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hey Salvatore,

I'm really sorry. Unfortunately, the patch was made available for users on 1.4.x

  Attachments
Your account does not have privileges to view attachments in the comment
 

Hi mark
Is any Chance of adding Conditional LOGIC for Profile Fields inside single profile type in future releases of Easysocial ?

i.e Instead of creating different profile TYPEs. Profile custom fields adjust (APPEAR/DISSAPPEAR ) according to user previous Inputs, inside single Profile Type. It will help the admin gather information from users more intelligently and alos Different profile Types sometime cumbersome for subscription based projects

Waiting for Response

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    John_Dave

Hey John,

Would you mind sending your inquires to https://crm.stackideas.com please?

  Attachments
Your account does not have privileges to view attachments in the comment
 
  1.    John_Dave

Reminds me of a thread I started a while back: http://stackideas.com/forums/using-a-boolean-field-to-decide-if-something-should-display

Using the same logic of the thread, you could make certain things appear/disappear based on selection. The main difficulty I foresee is that it would be difficult to put in PHP into a custom field due to a constraint made by EasySocial with allowing that type of code. You might be able to add it in a HTML field on the MySQL end.

  Attachments
Your account does not have privileges to view attachments in the comment
 
There are no comments posted here yet

Subscribe To Our Blog

Subscribe to our blog by entering your email address:

Thanks! You have subscribed to our newsletter.

We have acquired PayPlans from ReadyBytes

Wednesday, 06 September 2017 by Mark

EasySocial 2.1 Alpha Released

Wednesday, 30 August 2017 by Mark

Introducing EasyArticles

Thursday, 25 May 2017 by Mark

Echo Template Released

Tuesday, 24 January 2017 by Sylvie