Confixx Pro security hotfix RELEASE NOTES Description =========== The hotfix resolves the security problem when attacker uses malformed SID in URL to make SQL injection http://www.securityfocus.com/bid/17476. Affected Confixx versions: 3.0.0-3.0.8 , 3.1-3.1.2 Not affected Confixx versions: 1.x , 2.x, 3.0.9 And minor XSS vulnerability http://www.securityfocus.com/bid/17466 All versions affected Install ======= Upgrade Confixx to the lastest Confixx version in the branch i.e. for 1.x to 1.6.5 for 2.0.x to 2.0.15 for 3.0.x to 3.0.9 or 3.1.2 for 3.1.x to 3.1.2 to find out how to upgrade read release_notes.txt document at ftp://download1.swsoft.com/Confixx/ConfixxPro<2|3|3.1>//release_notes.txt download hotfix that matches your Confixx version #wget http://download1.swsoft.com/Confixx/security_hotfix/confixx__security_hotfix.tgz find out nessessary params #grep confixx_homeDir /root/confixx/confixx_main.conf unpack hotfix #tar xfvz confixx__security_hotfix.tgz -C unpack hotfix not to be overwritten during upgrade #tar xfvz confixx__security_hotfix.tgz -C /root/confixx/admin If you have Confixx 1.6 or if you see that safe_mode restricion in effect when trying to view user stats then #grep confixx_user /root/confixx/confixx_main.conf #grep confixx_group /root/confixx/confixx_main.conf #chown : /html/user/allgemein_transfer.php Now hotfix is installed. Contact Information =================== SWsoft Headquarters 13800 Coppermine Drive Suite 112 Herndon, VA 20171 USA Phone: +1.703.815.5670, Fax: +1.703.815.5675 World Wide Web: http://www.swsoft.com E-mail: For billing information, email accounting@swsoft.com For purchasing or partnering information, email sales@swsoft.com For technical support, use our Online Support Form. For information on career opportunities with SWsoft, email careers@swsoft.com For press contact information, email press@swsoft.com For information about becoming a Partner, email partners@swsoft.com For general product information, email info@swsoft.com Copyright 2002, 2003, 2004, 2005, 2006 SWsoft, Inc. All rights reserved.