×
K5.1.1 is released (10 Jun 2018)

The Kunena team is pleased to announce Kunena 5.1.1 [K 5.1.1].
Please read the blog post for information:

Important Official statement regarding alleged Kunena 1.5.9 Security Vulnerability

More
8 years 4 months ago - 8 years 4 months ago #1 by fxstein
Hi everybody,

We were made aware of this alleged security vulnerability within a few hours of it hitting Packetstorm.

Within 2-3 hours we tested 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8 and 1.5.9. Every official distribution since 1.5.5 has the fix built-in. We even ran the attack against kunena.com itself. The vulnerability is only present in versions of Kunena 1.5.4 (and older and ALL versions of Fireboard). So this old Fireboard issue was fixed months ago.

We immediately contacted the author of the alert as well as packetstorm but have not gotten a response from either one. This alert should really go out as a Fireboard alert - many users are still using the old Fireboard which contains this and dozens of other similar vulnerabilities. We hope that the author of this alert and services like Packtstorm that first published it will respond to our emails eventually and remove the incorrect alert.

This issue can only be re-introduced if your 1.5.9 distribution is modified with files from 1.5.4 or older versions. Unofficial templates which carelessly copy old code can also cause this issue.

If you are using any template besides the "default_ex" template, make sure you have 1.5.9 installed and use the default_ex template until you have been able to verify that your specific template is up to date.

More details:

Exploit: packetstormsecurity.org/1001-exploits/joomlakuenena-sql.txt
1.5.5 ReadMe: docs.kunena.com/index.php/Kunena_1.5.5_Read_Me


Have a great day!

fxstein
Kunena Project Lead

We love stars on the Joomla Extension Directory . :-)
Last edit: 8 years 4 months ago by fxstein.
The following user(s) said Thank You: sofiane59250

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #2 by latino
Hi:

Is the free Gainsboro Template affected by this?

TIA

:S

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #3 by latino
Hi Again:

I am not sure but because there are many old kunena templates out there. Maybe knowing which specific code is the vulnerable could help users verify if they (us) are on risk.

The advisory is understood by devs but how users can 'fix' the template in case their templates are no longer supported...

TIA

B)

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #4 by sozzled
Please do not use this discussion topic to ask questions about individual, third-party or user-developed templates: There is only one endorsed and supported Kunena template ... default_ex . The intention of this topic is to provide advice concerning allegations by Packetstorm about Kunena 1.5.9 security (in particular). I don't think this topic requires further discussion except if, or when, the situation changes.

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #5 by woonydanny
latino wrote:

I am not sure but because there are many old kunena templates out there. Maybe knowing which specific code is the vulnerable could help users verify if they (us) are on risk.

The advisory is understood by devs but how users can 'fix' the template in case their templates are no longer supported...


I believe the devs won't release the affected code as this is openly telling hackers what is the code to target.

It would be in your best interest if you are running a template other than the official default_ex to ditch it and use the official template. There has been so much work done by the kunena team and i would not run the risk of a template that might be missing some of the security added.

Once kunena 1.6 is released, i think templates wont have code (logic) in it but rather just formatting (colours, layout etc) and so lots of new templates will be created then that will be safe as the default_ex.

still wish that i can write my forum signature through a jomsocial plugin and do it from my jomsocial profile :(

Please Log in or Create an account to join the conversation.

More
8 years 4 months ago #6 by lavsteph
Hi,

This false listing is also present here : www.exploit-db.com/exploits/11279
others will come :blush:

Manager French translation

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to add attachements.
  • Not Allowed: to edit your message.
Time to create page: 0.086 seconds