September 26, 2016

MyBB 1.6.5 Released To Address 3 Vulnerabilities

(LiveHacking.Com) – The MyBB community has released version 1.6.5 of its popular MyBB open source forum software. 1.6.5 addresses 3 security vulnerabilities and fixes 70 issues. The MyBB developers are classing 1.6.5 as a medium-sized security, maintenance and feature upgrade for the 1.6 series.

The security vulnerabilities fixed in 1.6.5 include:

  • An issue with an unparsed user avatar in the buddy list – reported by labrocca
  • Potential XSS vulnerability with validating usernames via AJAX – reported by Will G
  • CSRF vulnerability in ?language (see – Issue 1729)

Included in the new features of 1.6.5 are some enhancements to CAPTCHAs. 1.6.5 adds the ability to use a hidden CAPTCHA, a ‘honeypot’ field that typically only spam bots will fill in. If this field is filled in, the registration will be denied. Also the ability to choose between the MyBB CAPTCHA or reCAPTCHA has been added.

In October, MyBB discovered that a hacker had compromised the MyBB server and the 1.6.4 release was modified to contain a hidden vulnerability. To address this all future releases of MyBB (starting with this 1.6.5 release) will be downloaded directly from github. Also MD5 checksums will be published for each release to ensure that modified files are caught.

Here are the MD5 checksums for 1.6.5 are:

mybb_1605.zip: 032403cee9d25110370ace935803ab9d

1605_changedfiles.zip: 91e6055b758c0aa233503a2a7528a7b0

New Django Versions to Fix Security Problems

(LiveHacking.Com) – The Django team has released updated versions of the popular high-level Python Web framework to address several security related problems. Along with the updates to the 1.2 and 1.3 code bases the Django project has also released several advisories for other issues which, while not requiring changes to Django itself, will be of concern to its users.

  • Session manipulation – For some configurations Django sessions are stored directly in the root namespace of the cache, using session identifiers as keys. This results is a potential attack when coupled with an application storing user-supplied data in the cache. To mitigate this, the keys used to store sessions will now be namespaced in the cache.
  • Denial of service attack via URLField – Django includes a field type — URLField — which validates that the supplied value is a valid URL, it can be set to validate the URL by issuing a request to it. By default, the underlying socket libraries in Python do not have a timeout. This can manifest as a security problem in different ways including an attacker supplying a URL under his or her control, and which will simply hold an open connection indefinitely.
  • URLField redirection – When validating a URL, if the URL uses a redirect no validation of the resulting redirected URL is performed, including basic checks for supported protocols (HTTP, HTTPS and FTP). This creates a small window for an attacker to gain knowledge of, for example, server layout; a redirect to a file:// URL, for example, will tell an attacker whether a given file exists locally on the server.
  • Host header cache poisoning – In several places, Django itself, independent of the developer, generates full URLs. Currently this uses the value of the HTTP Host header from the request to construct the URL, which opens a potential cache-poisoning vector: an attacker can submit a request with a Host header of his or her choice, receive a response which constructs URLs using that Host header and, if that response is cached, further requests will be served out of cache using URLs containing the attacker’s host of choice.

The advisories issued discuss different ways in which an attacker could possibly bypass Django’s Cross Site Request Forgery protection mechanism. While not actual bugs in Django itself, they are potential vectors for attack that developers should take into consideration.

According to djangosites.org, Django is used by at least 4000 web sites and the figure is likley to be much higher. All Django users are encouraged to upgrade to the latest versions, and to implement the recommendations in advisories, immediately.

WordPress 3.1.1 Released – Includes Security Patches

The WordPress project has released WordPress 3.1.1, the open source blogging system. Version 3.1.1. is a maintenance and security update. The release announcement says that the update fixes almost thirty issues in 3.1, including:

  • Performance improvements
  • Fixes for IIS6 support
  • Fixes for taxonomy and PATHINFO (/index.php/) permalinks
  • Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

With regards to security, V3.1.1 addresses three security issues:

  • Better Cross-site request forgery (CSRF – pronounced sea-surf) prevention in the media uploader
  • Workaround a PHP crash in certain environments when handling esoteric links in comments
  • Fix for a cross-site scripting (XSS) issue

The WordPress team suggest you update to 3.1.1 promptly. You can download 3.1.1 or update automatically from the Dashboard → Updates menu in your site’s admin area.