I hope most of you are enjoying your weekends! During the weekend, one of our customer submitted a list of log files pertaining several files which was uploaded to the server and they seem to be sending spams with these files. I was very curious over what they have done and started deciphering their codes and started my own code forensics.
After spending almost several hours of code forensics, I have concluded that our custom fields weren't performing the correct file checks. It does perform the validation correctly but the file still get's uploaded and this is pretty risky if malicious hackers were able to find the hole.
I just spent the past couple of hours patching things up and making sure this doesn't occur again. Then, released an emergency build for EasySocial 1.4.7. This file injection may affect any versions prior to 1.4.7. Therefore, I would urge everyone to please update to 1.4.7 as quickly as possible.
P/S: I will not be disclosing the codes which I have found for now until more users patch their site. I would like to thank Fred for assisting us with these findings!
Download EasySocial 1.4.7 Now!
User's without active subscription
For users who no longer have an active subscription, you may download the patch files below. The patch files are relative to your Joomla root and you need to update them accordingly. This is only available for users on 1.4.x
Download 1.4.7 Patch