WebsiteBaker is an easy, secure, flexible, and extensible content management system. Templates can be created within minutes and are powered by (X)HTML, CSS, and jQuery. Droplets provide a new and revolutionary way of inserting PHP code everywhere you want. Many extensions are available and can be installed and used with two clicks. A flexible API is also provided.
|Tags||Content Management System CMS Internet Communications jQuery jQuery UI Site Management|
|Operating Systems||OS Independent|
|Translations||English German Italian Spanish French Dutch Norwegian|
A security vulnerability in the backup module in WebsiteBaker Core CMS has been found. Extended information: Everybody can use the backup module from anywhere and download the backup directly on every PC the "exploiter" likes without any noticing by you. Affected systems - WebsiteBaker version: 2.7, 2.8.0, 2.8.1 (until SVN revision number 1308). - All installations with the installation of the Backup module are affected. The Backup module is part of WebsiteBaker Core and installed per default on all installations! Vulnerability Impact - An exploit was being published on "known exploit sites". - With this exploit everybody can download the whole database, crack the password and overtake the WebsiteBaker installation. Maximum Severity Rating - Highest (for systems matching all of the conditions under the Affected Systems section). - None (for all other systems, e.g. with deinstallated Backup module and version 2.6.7 and lower). Instructions how to patch - There is no supported patch available yet. Deinstall the backup module immediately. - Please change all passwords in your WebsiteBaker installations that are affected. Also let all your users know. Further Q&A Q: How can I deinstall the backup module? A: There are different ways - unfortunately it depends on your server configuration. First way: 1. Remove modules/backup with your FTP-browser 2. Create a new section in "Pages" from type "Code" with visbility registered (to avoid regular users) In the code section paste: Code: $results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'"); 3. Call the newly created page - this will start the php code wich will remove the backup entry in the addons list 4. Remove the page with the Code section Second way: Just deinstall the "backup" module in "Add-ons" -> "Modules" -> "deinstall module". Q: Why is the backup module not being fixed? A: The module is called deprecated from now on by the QA-Team. That has several reasons: It is not really useful to backup the complete WB-Installation as it has no possibility to upload easily the backup, and it has further bugs with modern databases. Q: Will there be a new method of backup? A: Perhaps in the future there will be - but that is not at all for sure. From SVN 1308 (2.8.1) on there won't be any official backup module available for WebsiteBaker until we let you know. Q: How can I backup WebsiteBaker? A: For sure your webhost has some database management system, e.g. PhpMyAdmin. Please use this system(s) to backup your database. Also make sure to backup all other FTP-data like /pages, /media, Modules & Templates and so on. Acknowledgements We want to thank pelotillehuito and FrankH for reporting the exploit and the QA-team for the quick & clear reaction.
Release Notes: Several minor bugs and one minor security problem have been fixed. Some modules have been updated to new versions. The backend template was updated and optimized. Preparation was made for multilingual Web sites. FCKeditor was updated to version 2.6.5. The jQuery framework was updated to version 1.4.1. The droplet module was updated to version 1.0.2. In addition to a full installion of WebsiteBaker 2.8.1, upgrades are possible from WebsiteBaker 2.7.0 or later.