This project is read-only.
August 27th 2007

Security flaw in My Web Pages Starter Kit


We have discovered a security flaw that could be misused by a hacker to retrieve arbitrary data files from a website based on MWPSK (a Canonicalization bug).

We rate the severity of the error with HIGH and we are applying the Emergency operation procedure (Security Operation Procedures) in order to solve the problem and we invite everyone else to also act according to these recommendations. We have created them to cope with such an incident.

Please replace the file DownloadHandler.ashx with the new version that is published here.

When will a solution for the problem be available?

The problem has been escalated right away and the developer has already published a later version of the DownloadHadler.ashx file that eliminates the problem.

What does this really mean for my installations?

Someone who knows about how to do it could potentially gain access to any data file stored as part of any MWPSK based website. Including the file where the user accounts are managed. Passwords are properly encrypted and therefore protected by a second line of defense but the scenario is still very embarrassing.

What can I do as a first measure to defend my website against such a hacker attack?

  • You should backup your site now by downloading the whole content of the \app_data folder to your local machine.
  • Please replace the file DownloadHandler.ashx with the new version that is published here.

What if I’m using an older version of MWPSK (like 1.1)?

The problem has existed ever since we have published the first version of MWPSK in November 2006. However, the new version of DownloadHandler.ashx works with all existing versions and you can replace the file regardless of your current installed version.


Rafa Vargas (his blog) has discovered this Security Flaw. We have added him to our hall of fame in order to honor his contribution to the overall quality of MWPSK.



Last edited Aug 27, 2007 at 11:58 AM by ursmueller, version 5

Comments

vargas Sep 14, 2007 at 2:27 PM 
Apart from this already-solved bug, I recommend everyone to download and run a copy of MWPSK, It really saves a ton of work!!!