ATTENTION: security fix available

OPN DEV NewsUnfortunatly some opn-sites has been attacked by a very special exploit. We (the dev team) has been informed by that about 10:30 april 30. After an analysis and first hotfixes the cause is as followed (15:00 april 30):
  • a special weak combination of php settings and opn settings is needed for a successful attack
  • not all opn sites are concerned by that exploit

In your php.ini settings please look for the settings of:
  • register_globals
  • allow_url_fopen


First off:we recommend to enable "Encode the URL-Parameters" in administration-> settings -> security settings

security-fix:
A fixed version of the file "master.php" ist available in trunk and branch. If you do not use subversion there is also a zip file file with the updated master.php available for download:security fix - download

An updated opn package (2.3.5) will be published shortly containing all necessary security fixes. We strongly recommend to update as soon as possible.

At this time we do not have any reports that say the database has been corrupted. It is a direct defacement attack. A successful defacment involves additional files has been uploaded to your webspaces for future attacks of your sites. So a drastic cleanup of your system is needed.

scenario 1: up-to-date backup is available
  • step 1. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
  • step 2. restore your backup

scenario 2: no backup is available
  • step 1. backup your "mainfile.php"
  • step 2. backup the "cache" directory
  • step 3. if you use a custom theme - backup it.
  • step 4. Remove all (!) opn files from your webserver. It is not possible to just overwrite them since the ftp rights are not high enough to catch them all. The hack gives itself higher acl values to prevent ypu from overwrite them. So you need to delete them to get rid of them.
  • step 5. Upload the current (complete) opn package incl. the security fix
  • step 6. Check your backuped "mainfile.php" for conspicuities and restore it
  • step 7. Check your backuped "cache" directory for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
  • step 8. Check your backuped theme for conspicuities (look at your local filesystem for files with a timestamp around the attack and remove those files) and restore the directory
  • step 9. adjust the directory rights to the ones named recommended in the documentation


Do not forget to check the "cgi-bin" directory (which in most cases is outside the html directory) for additional files placed by the hack.

Our recommendation:
  • Backup - a continous backup is always a good idea
  • If possible set php.ini setting "register_globals" to "off". (If this is not possible for you, encourage your hoster to do so. If he does not want to do that lookup for a another hoster).

Posted by xweber on 2006-05-01 10:52:55  (44663 * reads) 

1 comment       Auf Facebook posten http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWPlU0

Bugfix OPN 2.3.3

OPN DEV NewsOPN 2.3.3 is mostly a bugfix, but also we have two newest classes for the themes, there do you add in your theme.css.
The newest classes of css are:

.alternatorsubhead {
background: #bfdcfb;
border: solid 1px #A5A5A5; color: #000;
empty-cells: show;
font: 12px Verdana,Arial,Helvetica,sans-serif;
padding: 2px;
}

.listalternatorsubhead {
background: #bfdcfb;
border-bottom: 1px solid #000;
border-left: 1px solid #000;
color: #000;
empty-cells: show;
font: 12px Verdana,Arial,Helvetica,sans-serif;
padding: 4px;
}


The OPN-full version you find here:
OPN 2.3.3

Find the patch here: update 2.3.2 to 2.3.3

openphpnuke-2.3.3-full.* - The whole OPN, with modules and all languages included
openphpnuke-2.3.3-core.* - OPN without the modules
openphpnuke-2.3.3-modules-full.* - Only the modules complete
openphpnuke-2.3.3-module-xxx.* - single modules

If you have already installed 2.3.2 you can use the patch files
openphpnuke-2.3.2-to-2.3.3

We recommend to use the *.tgz or *.tar.bz2 files.
These are much smaller than Zip's. Windows can use theses files without trouble:
*.tgz can be handled with Powerarchiver, Winzip or Winrar.
Powerarchiver or Winrar can handle *.tar.bz2 . A pure " tar for Windows" is available as gnuwin32.

The Changelog you find here

The OPN-Team

Posted by spinne on 2006-04-05 10:13:41  (23833 * reads) 

comments?      Auf Facebook posten http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWPlU1

OPN 2.3.2 PHP 5.1.2 compatible

OPN DEV NewsIt's a bugfix and we make OPN PHP 5.1.2 compatible.
Pleas note something this OPN is not compatible witz PHP 5.1.1, read this article!

Find the full version here: OPN 2.3.2

Find the patch here: update 2.3.1 to 2.3.2

openphpnuke-2.3.2-full.* - The whole OPN, with modules and all languages included
openphpnuke-2.3.2-core.* - OPN without the modules
openphpnuke-2.3.2-modules-full.* - Only the modules complete
openphpnuke-2.3.2-module-xxx.* - single modules

If you have already installed 2.3.1 you can use the patch files
openphpnuke-2.3.1-to-2.3.2

We recommend to use the *.tgz or *.tar.bz2 files.
These are much smaller than Zip's. Windows can use theses files without trouble:
*.tgz can be handled with Powerarchiver, Winzip or Winrar.
Powerarchiver or Winrar can handle *.tar.bz2 . A pure " tar for Windows" is available as gnuwin32.

The Changelog you find here

The OPN-Team

Posted by spinne on 2006-03-09 19:46:40  (31005 * reads) 

1 comment       Auf Facebook posten http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWPlU2

OPN and PHP 5.1.1

OPN DEV NewsSome OPN users reported problems with the installation of OPN under PHP 5.1.1 (white page with step 6 e.g.).

These problems are not caused by OPN - its because of an known bug within PHP 5.1.1 (the treatment of $$vari and ${vari} called - see PHP Bug #35470).

This bug is fixed in PHP 5.1.2. Please update to PHP version 5.1.2, because PHP 5.1.1 has some more bugs which may crash the web server etc.

Posted by spinne on 2006-03-09 17:27:23  (30364 * reads) 

comments?      Auf Facebook posten http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWPlU3

Bugfix OPN-2.3.1

OPN DEV NewsIt's mostly a bugfix
Find the full version here: OPN 2.3.1

Find the patch here: update 2.3.0 to 2.3.1

openphpnuke-2.3.1-full.* - The whole OPN, with modules and all languages included
openphpnuke-2.3.1-core.* - OPN without the modules
openphpnuke-2.3.1-modules-full.* - Only the modules complete
openphpnuke-2.3.1-module-xxx.* - single modules

If you have already installed 2.3.0 you can use the patch files
openphpnuke-2.3.0-to-2.3.1

We recommend to use the *.tgz or *.tar.bz2 files.
These are much smaller than Zip's. Windows can use theses files without trouble:
*.tgz can be handled with Powerarchiver, Winzip or Winrar.
Powerarchiver or Winrar can handle *.tar.bz2 . A pure " tar for Windows" is available as gnuwin32.

The Changelog you find here

The OPN-Team

Posted by spinne on 2006-02-28 17:59:02  (27017 * reads) 

comments?      Auf Facebook posten http://www.openphpnuke.com/system/article/index.php?opnparams=CntdOAI3CmdWMVU%2B

Browse in our articles

 
Page took 0.07001 seconds to load