We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started

security remote code execution | Forum

Topic location: Forum home » Support » General Questions

scott lamburne Aug 5 '14

Hi all I came across this when checking security on my site. Its it of concern?

Oxwall suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory. Version 1.7.0 (builds 7907 and 7906) are affected.

http://packetstormsecurity.com/files/127653/ZSL-2014-5196.txt

Wilson Aug 5 '14

This exploit hack is just for 1.7.0 build right?...not 1.6.0...I'm still in 1.6.0 build!

Wilson

Team

Daisy Aug 5 '14

Guys, we are aware of this vulnerability and it will be eliminated in the upcoming update.
Please do not worry, this vulnerability is quite harmless since to perform the described actions, you have to be logged into the site under the main administrator account.

scott lamburne Aug 6 '14

Thanks for the update, just wanted to make sure its not a major problem. Great to see your on top of it. Thanks again.

Team

Daisy Aug 6 '14

Thank you for your reports. :)

Wilson Aug 6 '14

Is there a date for this upcoming update...security patch ?

Wilson

Team

Daisy Aug 6 '14

We plan the release in late August, but I don't have any details or time estimate to share for now though.

Oxwall Software

Please sign in

We build. You grow.

Start a social network, a fan-site, an education project with oxwall - free opensource community software

security remote code execution | Forum