SECURITY FIX! Users using any version prior to 1.5.1

[Jeff Lewis]

Don't feel terrible, it was an accident on our part and our fault. It can be annoying but some people are acting like their life is going to end because they received an email about a security fix 7-10 times...

Just make sure you patch your install

[Sergio]

Thanks for the advise, I have fixed it.

I'm glad that there were 9 or 10 emails, because I use some strong email filters, and the filter program has considered them as spam, as (I think) "sent to nobody".

But with nine equal subjects in the report I have noticed them.

Uuuhhh, pherhaps I'm not so clear  , however...

THANKS !  

[Overseer]

Thanks Snoopy. Not sure why Overseer is so mad...his messages table got seriously corrupted this week and he should ask Corey who was helping fix it...so a few extra emails by accident shouldn't be too hard to swallow

umm unrelated but.. i'm very grateful to him and I will continue to bring him customers (4 to my knowledge so far).

lol jeff i'm not mad. i was just saying that (before it was pointed out it was a bug) it was weird to have those mails and  if it were on purpose that I thought it was out of order.  am just shocked that some people think thats a legit way to highlight the issue to people and that they'd leap to defend such an action.

now for some irony

just an idea. but it might be a good idea to do one more which explains about the email problem and the security fix because of those 'bad mails' which lead to a now deleted post.

[sensovision]

It's nice to see that many people to pay attention to fix now, so I believe that this bug in this case were good as it's force people to pay attention for security measures... I carefully read all anouncements but I didn't get this announcement... maybe it was becasue it's sended less or more in the time when problem have major slowdown across the web due to worm attack, so anyway I'm sure that I didn't get first announcement and second was from some person who I never heard about...
so I believe 10 or more mails is good price to pay for saving you and your members from hackers attacks.

[Jeff Lewis]

Yes, I've heard from at least 12 people already that ignored the first announcement on this...

[acf [delete me]!]

I've pluged the hole

thanx yabb team  

And stop spamming in this tread about the many mails you get. Beter to have a lot of mails then to have board that is cracked.

peace  

[UKA_Bart]

If the little problem with the extra emails saves at least one persons forum I'm fine with that.

I agree. Send me as many warningmails as you (or your script :-)  likes. I don't mind. As long as I'm warned about something that potentially makes me lose my forum all together.

Thanks!  

[phark]

Thats BS.. one is enuf.. anymore is just spam.

On something this important, I don't mind getting 10 emails.  Stop your crying.  

[Agelmar]

Just out of curiosity Jeff, was this a bug in NotifyUsersNewAnnouncement() that we all need to patch our installations for, or was this some outside script you coded to do announcements for YSE? (i.e. do I need to worry about infinite looping on my board, or is this a script not a part of YSE?)

[Jeff Lewis]

I'm still trying to see if anyone messed with the announcement script. It was fine during our last announcement but we knew it needed work so someone may have screwed with it...

[eknee]

I've been hacked by this.  I've made the update to Packages.php, but is there anyway to recover the database?

Where other user names and passwords in the MySQL database exposed?

Thanks,
Eric

[Alex Rolko]

passwords are encrypted, so all passwords were safe.

[eknee]

Ok.  Thank you.

In case you're collecting this type of info, here's an entry from my log file...

200.181.183.199 - - [02/Feb/2003:15:26:16 -0800] "GET /modules/forum/index.php H
TTP/1.1" 200 5984 "http://www.google.com.br/search?q=Powered+by+YaBB+SE+site:.or
g&hl=pt&lr=&ie=UTF-8&start=180&sa=N" "Mozilla/4.0 (compatible; MSIE 5.0; Windows
 98; DigExt)"

[Jeff Lewis]

The same idiots going around and abusing this exploit...this is why we posted an announcement about it when it first came out...sadly not everyone has patched up.

[Ichiban]

Thanks for the update guys. Didn't mind the extra emails at all. Extremely small price to pay IMHO.

I kind of doubt my little personal board was exploited, but is there anything in particular that might indicate it was owned? Something in the access log perhaps or a likely modification that might be made via this vulnerability?

Just want to make sure everything is OK now that it's been patched. I think I understand what the hole was about, but I don't have a feel for the limits of the damage that might have been done.