Extension Updates! EasyBlog 5.3 Released! Tons of new exciting features and improvements... 馃寪 鉂わ笍 馃帀

Critical update for EasySocial! Update to 1.4.7 now!

Critical update for EasySocial! Update to 1.4.7 now!

I hope most of you are enjoying your weekends! During the weekend, one of our customer submitted a list of log files pertaining several files which was uploaded to the server and they seem to be sending spams with these files. I was very curious over what they have done and started deciphering their codes and started my own code forensics.



After spending almost several hours of code forensics, I have concluded that our custom fields weren't performing the correct file checks. It does perform the validation correctly but the file still get's uploaded and this is pretty risky if malicious hackers were able to find the hole.

I just spent the past couple of hours patching things up and making sure this doesn't occur again. Then, released an emergency build for EasySocial 1.4.7. This file injection may affect any versions prior to 1.4.7. Therefore, I would urge everyone to please update to 1.4.7 as quickly as possible.


P/S: I will not be disclosing the codes which I have found for now until more users patch their site. I would like to thank Fred for assisting us with these findings!

 

Download EasySocial 1.4.7 Now!

 

User's without active subscription

For users who no longer have an active subscription, you may download the patch files below. The patch files are relative to your Joomla root and you need to update them accordingly. This is only available for users on 1.4.x

Download 1.4.7 Patch

 

Comments (53)

Thanks Mark for your diligence to protect the code and update it right away.

You are most welcome Randall Remember to update your site's immediately!

Can you please disclose what fields are affected? Avatar and Cover photo upload as well ?

Hey David,

Yes, more details would be released soon as right now my priority is to get everyone updated to 1.4.7 first.

Thanks Mark for working hard on the weekend to keep our sites safe from spammers. This is deeply appreciated from us. I take security seriously, so I'm very pleased that Stackideas does too.

My thoughts exactly..

Thanks Josh!

Hi,
could you release the files which makes it un-secure?
My subscription expired in December :((

The reason that we don't release the files publicly yet is to avoid hackers exploiting this.

I agree with "Guest - Mike" that you are saying there was a critical flaw in your software and you urge everyone to upgrade, so it seems only fair and responsible you should urgently make that possible for every user of your product that is affected, irrespective of if they have a valid subscription or not.

We will eventually release these files but it will not be now We are placing our priority on users with a valid subscription right now and to ensure that all their sites are up to date before we disclose anything.

Although I understand as you are a small team and so have to prioritise, if this bug means that anyone that purchased your product in good faith is now at risk, it would feel like ensuring everyone gets updated is important. You have just released a fix for all those with a valid subscription, so little more to do there!

One could almost start to wonder if you are just taking this as a "great marketing opportunity" to sell lots of subscriptions ;)

Would it not be possible to issue some...

Although I understand as you are a small team and so have to prioritise, if this bug means that anyone that purchased your product in good faith is now at risk, it would feel like ensuring everyone gets updated is important. You have just released a fix for all those with a valid subscription, so little more to do there!

One could almost start to wonder if you are just taking this as a "great marketing opportunity" to sell lots of subscriptions ;)

Would it not be possible to issue some form of patch system?

If that's not possible, just give everyone a free upgrade and then extend existing users subscriptions by 6 months. Having everyone on the same version will make people happy and more likely to stay with you, show you take security seriously, plus it will make your support role actually easier!

Read More

Thanks for the input on this Andrew! We don't have a "patch" system to generate changesets but I will do this manually as soon as I confirm that more paid users have already updated to 1.4.7.

The only reason that we are reluctant to release these patch files immediately is because we want to ensure our user's with valid subscription to update to 1.4.7 first.

There is no marketing gimmick or trick is involved. Neither am I forcing anyone to renew! Renewals are your own choice. If we do...

Thanks for the input on this Andrew! We don't have a "patch" system to generate changesets but I will do this manually as soon as I confirm that more paid users have already updated to 1.4.7.

The only reason that we are reluctant to release these patch files immediately is because we want to ensure our user's with valid subscription to update to 1.4.7 first.

There is no marketing gimmick or trick is involved. Neither am I forcing anyone to renew! Renewals are your own choice. If we do intend to use this as a marketing gimmick, wouldn't then this post have a coupon code?

Read More

I understand your concerns around, let's be honest, the major design bug, out of public realm, but if someone wants to I'm sure it won't be hard to check a system before and after updating to this new version to find what files have changed (and I'm sure anyone wanting to exploit it would also have ways to be able to get the update.)

Saying you only want people with a valid subscription to be able to update first suggests you don't care that everyone who purchased this product has been...

I understand your concerns around, let's be honest, the major design bug, out of public realm, but if someone wants to I'm sure it won't be hard to check a system before and after updating to this new version to find what files have changed (and I'm sure anyone wanting to exploit it would also have ways to be able to get the update.)

Saying you only want people with a valid subscription to be able to update first suggests you don't care that everyone who purchased this product has been sold something that sounds like it makes their website insecure and a security risk. If this really affects every version then you have a duty to fix the faulty product that people purchased in good faith.

Otherwise it's like selling a toaster, then finding due to a design flaw there was a small chance it could electrocute people, but saying you would only fix the ones still under warranty!

Read More
Comment was last edited about 3 years ago by Andrew Heritage Andrew Heritage

Well, if you ask me. People who still have an active subscription should be placed as priority and have to be treated first before the rest as they are the ones that are funding the entire project.

We are not a huge corporation and we only have a small team with a small budget. Without their support, we wouldn't even be able to continue finding such remote holes What good is a project if there is nobody working on it?

This does not mean that people who originally purchased EasySocial...

Well, if you ask me. People who still have an active subscription should be placed as priority and have to be treated first before the rest as they are the ones that are funding the entire project.

We are not a huge corporation and we only have a small team with a small budget. Without their support, we wouldn't even be able to continue finding such remote holes What good is a project if there is nobody working on it?

This does not mean that people who originally purchased EasySocial are being forgotten and this is the reason why we will release the patch files shortly.

Read More

As much as I like free stuff, I'm going to have to side with Mark on this. If a free patch was released right away to anyone, active paying customers would be at risk. As of right now hardly anyone knows what exactly the threats are which is a good thing due to it making it difficult for exploiters. If a free patch was released later, both the customer and observant past customers would be secured.

Mark and the staff of Stackideas very much value their reputation with their customers (and...

As much as I like free stuff, I'm going to have to side with Mark on this. If a free patch was released right away to anyone, active paying customers would be at risk. As of right now hardly anyone knows what exactly the threats are which is a good thing due to it making it difficult for exploiters. If a free patch was released later, both the customer and observant past customers would be secured.

Mark and the staff of Stackideas very much value their reputation with their customers (and they certainly have earned it). They wouldn't want to possibly lose supporters of the projects based on security incidents. In a round about way this tactic actually supports the project itself in a positive way. In other words, losing customers hurts the project. While the toaster story sounds fun, it's not quite accurate. Human lives are not at stake with this issue. The fact that Mark wants to help both groups of people (current and past customers) in terms of security is pretty awesome.

Read More

When I try to update with the downloaded fiie 3 times I get an errormessage - 3 days ago I updetaed to vers. 1.4.6 correctly - message: Error 500 - Internal server error

Comment was last edited about 3 years ago by Peter Lex Peter Lex

Please contact our support team at http://stackideas.com/forums should you need help with your upgrade

Hi Mark, thanks for the update.

we have a little little probleme with the Profile Default Display, after this update the timeline is shown instead about even we change about or time line in options ! can you please try on your dev website ?

Please submit a new ticket on our forums Jan I will look into this.

Thanks Andrew Heritage!
Mark, you should really allow previous customers to upgrade the files if this is such an issue... not to all of them, but at least for those which had subscription expired in last 6 months. ... you may simply "open window" for a week for us to upgrade the EasySocial.

I would disagree with extending subscriptions because subscriptions are not only access to our downloads, but our support as well.

If you read the post, it is stated that the files are not released publicly yet due to security concerns. We will release the patch files when we see more upgrades of 1.4.7 from users

Mark, thanks for your continuous work!

You are most welcome Juan

nope

Thanks Mark! Upgraded to the new release without any issue. You and your team rock.

Thanks Binky

There are benefits of being a registered paid subscriber ;)

Thanks Mark

I upgraded. Keep up the good work.

Awesome, thanks Paul!

YEP! It's a toaster without warranty

Read the post above, the patch files has been added

Hats off to you Mark and all the Si team for your professionalism

Thank you Jan

How to install the the patch files ?
Joomla gives error

Warning
JInstaller: :Install: Can't find XML setup file.
Error
Unable to find install package

I think you have to manually replace each file in the respective folders. For example the admin uploader is located in: administrator/components/com_easysocial/includes/uploader/ and the file name is uploader.php
In other words there is no xml file to define it as an installation. The patch above is a set of files that we can manually replace them to fix the security issue. Unzip the folder first of course.

Same goes for the rest of the files needed. It's a little work, but has a great pay...

I think you have to manually replace each file in the respective folders. For example the admin uploader is located in: administrator/components/com_easysocial/includes/uploader/ and the file name is uploader.php
In other words there is no xml file to define it as an installation. The patch above is a set of files that we can manually replace them to fix the security issue. Unzip the folder first of course.

Same goes for the rest of the files needed. It's a little work, but has a great pay off. Hats off to the staff of Stackideas.

Read More
Comment was last edited about 3 years ago by Josh Lewis Josh Lewis

thank you Josh

Your welcome. Glad I could be of assistance.

Will there be patch files for 1.3.28 too? I did disable Easysocial now completely and don't know if I can must quit, can wait or have to renew and upgrade.....

Thanks for sending a ticket to our helpdesk, do update us regarding your site

If every easysocial upgrade would come in the form of patch as it is provided now - it would make my life so much easier...

The auto update feature of ES is a lot easier to manage.

Well, for most users - yes. For me - it is very important to see which files i am upgrading. And auto update feature hides all updates from me. I am afraid to use it.

The changelog actually lists down which files are updated

I really like the auto update feature.
Had some issues with it at the beginning but this was possible related to Akeeba back up.
Has worked for me every time for going on a year now.
I even read the change logs these days.

Comment was last edited about 3 years ago by Paul Murray Paul Murray

@Paul thanks for your support.

Yes, autoupdate option is a very nice thing to have. Just saying, if there is a possibility to have update patches together with autoupdate option - i would love it Didn't mean to say that autoupdate is a bad thing - Easysocial is UberCool software for me!

Thanks for sharing this Tomas, we'll see what we can do about this in the future

Hello, a patch for version 1.3.x is not expected?

Hey Salvatore,

I'm really sorry. Unfortunately, the patch was made available for users on 1.4.x

Hi mark
Is any Chance of adding Conditional LOGIC for Profile Fields inside single profile type in future releases of Easysocial ?

i.e Instead of creating different profile TYPEs. Profile custom fields adjust (APPEAR/DISSAPPEAR ) according to user previous Inputs, inside single Profile Type. It will help the admin gather information from users more intelligently and alos Different profile Types sometime cumbersome for subscription based projects

Waiting for Response

Hey John,

Would you mind sending your inquires to https://crm.stackideas.com please?

Reminds me of a thread I started a while back: http://stackideas.com/forums/using-a-boolean-field-to-decide-if-something-should-display

Using the same logic of the thread, you could make certain things appear/disappear based on selection. The main difficulty I foresee is that it would be difficult to put in PHP into a custom field due to a constraint made by EasySocial with allowing that type of code. You might be able to add it in a HTML field on the MySQL end.

There are no comments posted here yet