[tngusers] TNG security update

Darrin Lythgoe darrin at lythgoes.net
Wed Feb 25 21:49:04 CST 2009


Hi everyone,

First of all, if you're subscribed to the tngusers2 discussion mailing list, this will be old news for you. Everyone
else, please keep reading.

Over the past week or so, a few dozen TNG sites have been hacked by someone who seems only to care about replacing the
home page (index.php or index.html). If you find that your home page has been replaced, just upload your index.php file
again to restore your site.

As for the vulnerability that allowed this to happen, it took a few days to sort things out, but I believe the problem
has now been isolated. To patch the hole and prevent it from being exploited on your site, please perform ONE of the
following, even if you're running 7.0.3:

1) Edit your begin.php file and replace the "really long" third line with this code (should all be one line):

if(isset($cms['support']) || isset($cms['tngpath']) || isset($_GET['lang']) || isset($_GET['mylanguage']) ||
isset($_GET['language']) || isset($_GET['session_language']) || isset($_GET['rootpath'])) die("Sorry!");

OR

2) Go to the v7 downloads page and get either the full version 7.0.3 or any of the updates. Extract the begin.php file
and upload it to your site, overwriting the current begin.php. Of course if you're still at 7.0.2 or lower, you can
simply download and install the upgrade to 7.0.3. If you downloaded the upgrade prior to yesterday (24 Feb 2009), you
must download the file again.

If you choose the first option and your site no longer works after posting the change, please check to make sure that
you've entered everything correctly. Also check to see if your editor has added any blank lines at the end. If so,
remove them. Please exhaust these options before writing to tell me that the changes broke your site.

These changes and even more security measures will be incorporated into the next release.

Sincerely,
Darrin Lythgoe




More information about the tngusers mailing list