December 7th 2010
Security Advisory: Please update MWPSK to version 1.3.1
We discovered that a critical security issue enables attackers to upload files to websites running MWPSK 1.3.0.
We rate the severity of the issue with HIGH
and we are applying the Emergency operation procedure (Security Operation Procedures
) in order to solve the problem and we invite everyone else to also act according to these recommendations. We have created them to cope with such an incident.
Please replace your current ftb.imagegallery.aspx in the root of the installation of MWPSK with the fixed one
When will a solution for the problem be available?
The problem is solved in the latest version (1.3.1) of the starter kit
What does this really mean for my installations?
Someone who knows about how to do it could potentially gain access to any data file stored as part of any MWPSK based website and upload his own files or overwrite them.
What can I do as a first measure to defend my website against such a hacker attack?
You should backup your site now by downloading the whole content of the \app_data folder to your local machine.
Then replace your existing ftb.imagegallery.aspx with the fixed one
What if I’m using an earlier version of MWPSK 1.3.0?
Earlier versions than 1.3.0 do not contain the Free Text Box and are therefore not affected by this issue.