A couple more notes when upgrading the Dashboard:
* Be sure to clear your CFML engine template cache and restart your
application to clear any Dashboard components that had been loaded into
the application memory.
In the future, we will blog more about this possible exploit -- how it
was discovered, what the specific exploit is, how it works and to
resolve it. At the moment, we are refraining from discussing the
specifics since this is an active (although medium level) security
concern. A full postmortem will be coming in the next several weeks as
it can provide information on securing your own applications.
Best
Team Mach-II
Peter, Matt, Kurt, Brian, Mike, Adrian, Jorge, Doug and Jason
Peter J. Farrell said the following on 09/25/2010 01:52 PM:
Re-posted from: http://post.ly/zoml
---
Team Mach-II is proud to present the latest stable releases of the
Mach-II Dashboard. There are two versions that have been released.
One version for the 1.6.x series of the Mach-II framework and one
version for the 1.8.x series of the Mach-II framework. We are now
using OhLoh to manage our releases so all downloads will be from our
OhLoh project listing.
*Security Notice*
Due to a possible directory transversal security flaw, we strongly
suggest upgrading to these versions as they contain the latest
enhancements and security patches. This flaw if exploited correctly
could lead to access to PNG, GIF, JPG, CSS and JS files that may not
necessarily be available from the website root. This flaw does not
affect any other file types.
*/We have received absolutely no reports of this exploit being used in
the wild and it only affects users of the Dashboard module when
deployed to production environments. This does NOT affect the core
Mach-II framework in any way./*
This is an same day discovery release fix. We issued the 1.0.1
maintenance release and the 1.1.0 final / gold stable *on the same
day* the this possible flaw was discovered. This possible flaw was
discovered by a source code audit performed by a Team Mach-II member.
*Security Resolution Paths*
1. Upgrade the version of the Dashboard you are using to one of the
versions below
2. If you cannot upgrade at this time, removing the dashboard from
production applications (i.e. commenting it out in your
mach-ii.xml file) will fix this security concern until you can
update your Dashboard source code
*Downloads*
*For Mach-II 1.6.x Series:*
Download Mach-II Dashboard 1.0.1 Stable (Maintenance Release for
1.0.0)
<https://www.ohloh.net/p/mach-ii/download?package=Dashboard&release=Mach-II+Dashboard+1.0.1>
*For Mach-II 1.8.x Series:*
Download Mach-II Dashboard 1.1.0 Stable
<https://www.ohloh.net/p/mach-ii/download?package=Dashboard&release=Mach-II+Dashboard+1.1.0>
*For Mach-II 1.9.x Series using integrated Dashboard:*
Use the latest BER zip or SVN version. Do not use milestone 1 or
milestone 2 on production
<http://www.mach-ii.com/nightly/MachII_1-9-0_nightly.zip>
--
You received this message because you are subscribed to Mach-II for
CFML list.
To post to this group, send email to
[email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/mach-ii-for-coldfusion?hl=en
***New URLs as of April 29th, 2010***
SVN: http://svn.mach-ii.com/machii/
Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
--
You received this message because you are subscribed to Mach-II for CFML list.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/mach-ii-for-coldfusion?hl=en
***New URLs as of April 29th, 2010***
SVN: http://svn.mach-ii.com/machii/
Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
