New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Blesta Security Advisory
EthernetServers
Member, Patron Provider
in General
Comments
@labze check this out
You're Fast as fuck boi.
Nice you beat their customer e-mail. I've patched it, but would be interested to see what the issue was.
Oof, this is bad
I don't think so.
Better to be alerted from the developer's team than the hacker's team of a security issue.
theme (uploads) not sanitized and remote code execution. so payload can be uploaded and executed
I was referring to the severity of the vulnerability
"Upgrade can not continue without valid support and updates, visit www.blesta.com/support-and-updates"
If you are patching from a supported version, 5.7, 5.8, 5.9 you don't need valid support & updates to go to the latest patch of those minor versions. If you are upgrading from an unsupported version then you would need valid support & updates.
I have version 4.0 is there a security patch for it ?, what is "unsupported version" and what makes an owned version not supported for security patches ?
Only version 5.0.0-5.9.1 are affected. If you are running 4.x you are not impacted by this, but you are very very EOL and should consider an upgrade at some point.
I have out a notification to all license holders of Blesta.Store shortly after this was published.
In retrospect should have also posted it here. Thank you for your contribution
This appears to be correct.
Sadly information is a bit limited at this stage. However from the information known so far it appears that the RCE only is exploitable thru "vulnerability chaining" and not directly.
I'll try to post an in update this thread and the revise the announcement on blesta.store if more details become known.
Anyone knows when will https://docs.blesta.com be up?
Like to see the upgrade steps.
Thanks!
Sent in a report on your behalf. it appears to die every now and then.
Oh, since two days I trying to access but no luck!
Thanks a lot! Hopefully it comes up soon!
It's up now https://docs.blesta.com/display/user/Upgrading+Blesta
yeah, they added more ram and rebooted the vm.
@pphillips Why did blesta changed encoder from ioncube to sourceguardian for this upgrade patch?
Blesta includes both since Ioncube took forever to support 8.x
We didn't, we include both. Default files are ioncube. hotfix is for sourceguardian. We started shipping both when ioncube failed to support PHP 8. We were the 1st to support PHP 8 because we shipped a sourceguardian option. If you have ioncube, just ignore the hotfix directory.