HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

ocPortal security update

ocPortal security update We have just released ocPortal 7.1.6, primarily to get out some very important security fixes to ocPortal.

In the last few weeks two security research organisations have discovered some security holes and detailed them to us. They gave us a reasonable period of time to fix the problems, hence this release prior to the wider public disclosure of the vulnerabilities.

Action required

We recommend users upgrade to 7.1.6, which will resolve all these issues at once, and also update on a number of other compatibility issues that have recently come up (PHP 5.4, PayPal changes, Google Chrome bug).

Vulnerabilities have been found in:
  1. The code editor and config editor
  2. The catalogues system
  3. The core system, how redirects are handled (two different attack patterns)

If users are on a heavily customised version and cannot upgrade to a new patch release, changes may be made manually. A patch is attached illustrating the changes. Users who need to update manually and don't have experience with patch files should open a support ticket.

Attachment
» Download: ocportal-security-release.patch (12 Kb, 426 downloads so far)


Future policy

We have had a policy of not identifying vulnerabilities in ocPortal to this point, to avoid alerting hackers where they might concentrate attention. Rather, we have promptly released a new version whenever any issue has been found and recommended people upgrade to it.

The problem with this approach is that if people don't know of a security hole they may decide not to follow our upgrading advice and fall behind.

This has not really been a problem up to this point as vulnerabilities have only been found very rarely (about one every two years).

Now that ocPortal is under some increased scrutiny, we'll be changing our policy going forward.

The new policy will be that we will give some general upfront advice if an ocPortal vulnerability has been found, via our newsletter and site news. Within this advice we will give a time when a security update will be released. This way, hackers don't have much chance to target a site before it is upgraded, because the site owner is able to schedule their site update in advance, so it happens very close to the security update being released (update released = update available for hacker study).

We carried out this policy today, although only with a few hours notice. In the future, one or two weeks notice will be more usual.

Credit

We would like to thank the following groups/individuals for working with us in a professional way on these issues:
  1. YGN Ethical Hacker Group
  2. High-Tech Bridge SA Security Research Lab
  3. Micheal Cottingham (for a vulnerability previously fixed, back in 7.1)

View all

Trackbacks

There have been no trackbacks yet