b2evolution blog software

Multilingual multiuser multi-blog engine
Home About Demo Download Hosting Extend Docs Forums
Main · News · Screenshots · Donations · User blogs · Team
« b2evo 1.8.6 AND 1.9.1 released!b2evolution 1.9.0-beta "Casino Royale" released »

Security Alert: import-mt.php

Permalink November 30, 2006 @ 14:27, by Francois Planque • Category: Security info

Well, it's been a long time since the last security alert, but every now and then someone finds a security hole and it gets exploited...

This one doesn't affect b2evolution in itself but the Movable Type Importer as shipped with b2evolution since version 1.6. So, in effect, this security issue affects all versions of b2evolution since 1.6. With the latest tests, versions 0.9.x have appeared to be safe.

The good news is that it is very easy to secure your b2evolution installation before it gets hit by an attack: just delete the Movable Type Importer (you don't need it. It is only used *during* the import if you have migrated from MT to b2evo).

In b2evo versions 1.x, delete this file from your server:
/blogs/inc/CONTROL/imports/import-mt.php

In b2evo versions 0.9.x, you don't need to do anything, you're not affected by this issue. Your version is aging though, and you should consider upgrading as soon as we release 1.8.6.

Older versions: you are not affected by this issue, however your version is so old that you may be affected by other issues. It is strongly advised to upgrade.

We'll release a fixed version of b2evo later tonight.

PermalinkPermalink 6 comments »  

6 comments

Comment from: Ben borges [Visitor] Email · http://www.buzzworkers.com
Thanks ! :)
2006-11-30 @ 15:53
Comment from: Francois Planque [Member] Email · http://fplanque.com/
Latest developments:

- Versions 0.9.x are NOT affected. :)

- If your PHP (php.ini) is properly configured with register_globals = Off, you are NOT affected. :)

- If your PHP (php.ini) is conservatively configured with allow_url_fopen = Off, you are NOT affected either. :)

- We will release a fixed update of 1.x (version 1.8.6) later tonight.

In the meantime, if you are unsure, please delete the import-mt.php file.
2006-11-30 @ 16:03
Comment from: Francois Planque [Member] Email · http://fplanque.com/
Fixed releases (1.8.6 and 1.9.1) are ready (and downloadable from SourceForge if you're in a hurry) but we'll double check them tomorrow.
2006-12-01 @ 02:00
Comment from: EdB [Member] Email · http://wonderwinds.com
Thanks for the super-quick corrective actions!
2006-12-01 @ 05:54
Comment from: beano [Visitor] Email · http://www.everythingulster.com
Does this mean that you don't need to delete the import-mt.php file in versions 1.9.2 onwards?
2007-02-25 @ 17:43
Comment from: Francois Planque [Member] Email · http://fplanque.com/
Yes versions 1.9.2 and above are perfectly safe. No need to touch mt-import in these.
2007-02-25 @ 18:19

This post has 1 feedback awaiting moderation...

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
:!: :?: :idea: :) :D :p B) ;) :> :roll: :oops: :| :-/ :( :'( |-| :>> :yes: ;D :P :)) 88| :. :no: XX( >:XX
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)

Contact · maintained by François Planque · hosting provided by the Evo Factory