Projects / WebsiteBaker / Announcements / Security Vulnerability (Bac...

Security Vulnerability (Backup Module in WB Core)

A security vulnerability in the backup module in WebsiteBaker Core CMS has been found.
Extended information: Everybody can use the backup module from anywhere and download the backup directly on every PC the "exploiter" likes without any noticing by you.

Affected systems
- WebsiteBaker version: 2.7, 2.8.0, 2.8.1 (until SVN revision number 1308).
- All installations with the installation of the Backup module are affected. The Backup module is part of WebsiteBaker Core and installed per default on all installations!

Vulnerability Impact
- An exploit was being published on "known exploit sites".
- With this exploit everybody can download the whole database, crack the password and overtake the WebsiteBaker installation.

Maximum Severity Rating
- Highest (for systems matching all of the conditions under the Affected Systems section).
- None (for all other systems, e.g. with deinstallated Backup module and version 2.6.7 and lower).

Instructions how to patch
- There is no supported patch available yet. Deinstall the backup module immediately.
- Please change all passwords in your WebsiteBaker installations that are affected. Also let all your users know.

Further Q&A

Q: How can I deinstall the backup module?

A: There are different ways - unfortunately it depends on your server configuration.
First way:

1. Remove modules/backup with your FTP-browser
2. Create a new section in "Pages" from type "Code" with visbility registered (to avoid regular users)
In the code section paste:
Code:
$results = $database->query("delete FROM ".TABLE_PREFIX."addons WHERE name = 'backup'");

3. Call the newly created page - this will start the php code wich will remove the backup entry in the addons list
4. Remove the page with the Code section

Second way:
Just deinstall the "backup" module in "Add-ons" -> "Modules" -> "deinstall module".

Q: Why is the backup module not being fixed?
A: The module is called deprecated from now on by the QA-Team. That has several reasons: It is not really useful to backup the complete WB-Installation as it has no possibility to upload easily the backup, and it has further bugs with modern databases.

Q: Will there be a new method of backup?
A: Perhaps in the future there will be - but that is not at all for sure. From SVN 1308 (2.8.1) on there won't be any official backup module available for WebsiteBaker until we let you know.

Q: How can I backup WebsiteBaker?
A: For sure your webhost has some database management system, e.g. PhpMyAdmin. Please use this system(s) to backup your database. Also make sure to backup all other FTP-data like /pages, /media, Modules & Templates and so on.

Acknowledgements
We want to thank pelotillehuito and FrankH for reporting the exploit and the QA-team for the quick & clear reaction.

Screenshot

Project Spotlight

Monitorix

A Web-based lightweight system monitoring tool for Linux/Unix servers.

Screenshot

Project Spotlight

TimeIT

A simple-to-use time tracker.