A security vulnerability in the backup module in WebsiteBaker Core CMS has been found.
Extended information: Everybody can use the backup module from anywhere and download the backup directly on every PC the "exploiter" likes without any noticing by you.
- WebsiteBaker version: 2.7, 2.8.0, 2.8.1 (until SVN revision number 1308).
- All installations with the installation of the Backup module are affected. The Backup module is part of WebsiteBaker Core and installed per default on all installations!
- An exploit was being published on "known exploit sites".
- With this exploit everybody can download the whole database, crack the password and overtake the WebsiteBaker installation.
Maximum Severity Rating
- Highest (for systems matching all of the conditions under the Affected Systems section).
- None (for all other systems, e.g. with deinstallated Backup module and version 2.6.7 and lower).
Instructions how to patch
- There is no supported patch available yet. Deinstall the backup module immediately.
- Please change all passwords in your WebsiteBaker installations that are affected. Also let all your users know.
Q: How can I deinstall the backup module?
A: There are different ways - unfortunately it depends on your server configuration.
1. Remove modules/backup with your FTP-browser
2. Create a new section in "Pages" from type "Code" with visbility registered (to avoid regular users)
In the code section paste:
$results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'");
3. Call the newly created page - this will start the php code wich will remove the backup entry in the addons list
4. Remove the page with the Code section
Just deinstall the "backup" module in "Add-ons" -> "Modules" -> "deinstall module".
Q: Why is the backup module not being fixed?
A: The module is called deprecated from now on by the QA-Team. That has several reasons: It is not really useful to backup the complete WB-Installation as it has no possibility to upload easily the backup, and it has further bugs with modern databases.
Q: Will there be a new method of backup?
A: Perhaps in the future there will be - but that is not at all for sure. From SVN 1308 (2.8.1) on there won't be any official backup module available for WebsiteBaker until we let you know.
Q: How can I backup WebsiteBaker?
A: For sure your webhost has some database management system, e.g. PhpMyAdmin. Please use this system(s) to backup your database. Also make sure to backup all other FTP-data like /pages, /media, Modules & Templates and so on.
We want to thank pelotillehuito and FrankH for reporting the exploit and the QA-team for the quick & clear reaction.