We are going to be updating some software on the servers that will add additional layers of security to the frontend of the servers.

This software aims to filter out malicious requests that may be part of an attack on your website or a hacking attempt. The software is not perfect, no layer of security will be, but it does a good job of limiting these types of attacks. As always, there is no substitute for updating the scripts on your website and keeping them up-to-date.

We have tested this new filtering software on a few of our servers with great results. We will be expanding this to all of our servers, perhaps early next week (August 8th – August 12th).

Our tests have shown very minimal impact with end-user’s websites. However there is a possibility that this software can interfere with the normal operations of your website, depending on how arguments and data is passed around on your website. Exemptions can be made for your website, but unfortunately we won’t know that exemptions need to be made unless you tell us that you are experiencing problems.

This security software should allow for a more safe and secure hosting environment.

Steven

UPDATE Aug 2, 2011 02:29PM CDT — If you want to know if your website is vulnerable to this. Open a support ticket and our technicians will look at your account and work with you to minimize this threat.

A security issue has been disclosed in the TimThumb project. This vulnerability allows a hacker or malicious user to hack into your account.

Information about this vulnerability and a disclosure is at:

Zero Day Vulnerability in many WordPress Themes

This vulnerability is in the timthumb.php file, and is included in a lot of WordPress themes (though it is not necessarily exclusive to WordPress scripts/themes).

Really this should be addressed by the WordPress theme creators, whoever wrote the WordPress theme you may be using for your WordPress script. Or it should be addressed by the developer of whatever application you are using. However, as an end-user YOU will need to be responsible and update your theme or your script to resolve this issue. A developer that releases a new version to fix this insecurity will do you absolutely no good, unless you explicitly upgrade the theme or script.

There is an update to the timthumb.php file, version 1.34, that fixes this insecurity, and that file is posted on Google Code:

http://code.google.com/p/timthumb

At this time, I am mixed on how to react to this. We have a lot of WordPress scripts on our servers. I am afraid that not many of these users will update their themes to fix this issue, or perhaps the theme makers themselves will not release a fix for this in a timely manner. This will result in a lot of WordPress scripts being hacked. I can disable the timthumb.php file on the servers, this would mean any website that uses the timthumb.php file would stop functioning correctly, but it would keep save those accounts from being hacked and compromised. Right now, I am probably going to wait and see how the theme makers respond to this issue, and hope that they act accordingly and that WordPress and TimThumb users act responsibly and keep their scripts and themes up-to-date.

For WordPress users, I would recommend that you contact the developer or vendor (the website that you downloaded or purchased your WordPress theme from) and ask them if they are aware of this vulnerability, if it applies to your WordPress theme, and what their plans are for fixing this issue.

Steven

I found this article concerning the insecurities of osCommerce and how a vulnerability in the software lead to a mass compromise of potential confident information, such as credit card information.

Sneaky Trojan exploits e-commerce flaws (theregister.co.uk)

osCommerce has never been a favorite shopping cart application for me. The seemingly lack of attention the osCommerce developers give to the vulnerabilities in their product, means that an osCommerce reliant website may be vulnerable to a compromise at any time.

If you use osCommerce on your website, I would encourage you to put a lot of thought into switching to a different system. One that updates frequently to fix known security vulnerabilities. I would also encourage you to check out Mal’s E-Commerce hosted solution.

Steven

A new version of Drupal has been release, version 7.7.

http://drupal.org/drupal-7.6

Note: There was some discrepancies in the releases. When Drupal 7.6 was released it was still reporting as being Drupal 7.5. Drupal 7.7 was released that fixed this display bug. Drupal 7.6 and Drupal 7.7 are essentially the same version.

Steven

Joomla! today released a new version of Joomla! 1.6 today, version 1.6.6. The release notes are at:

http://www.joomla.org/announcements/release-news/5383-joomla-166-released.html

This is a security update intended for users of Joomla! 1.6 that are otherwise unable to upgrade to Joomla! 1.7.0. All users are encouraged to upgrade to Joomla! 1.7.0 and avoid this 1.6.6 update if at all possible.

Apparently my understanding of the situation was wrong. I was under the impression that there would be no further upgrades to Joomla! 1.6 as everything had been moved to 1.7.0. However, this does not appear to be the case, although Joomla! 1.6 now has an end-of-life date of August 19th, 2011, so all users will need to be using Joomla! 1.7.0 before then.

In my opinion, this is one thing that hampers Joomla!, there are too many different versions of the software and a lot of components and extensions that don’t stay up-to-date. I believe Joomla! would be better served if they stuck to just one version, and force or strongly encourage that all users keep their scripts up-to-date with that version. It is difficult to know if your Joomla! script is safe and free of any security vulnerabilities when there are several different releases.

At any rate, we wanted our clients to be aware of this, and encourage them to upgrade to Joomla! 1.7.0 before August 19th, 2011.

Steven