Well, it's been a long time since the last security alert, but every now and then someone finds a security hole and it gets exploited...
This one doesn't affect b2evolution in itself but the Movable Type Importer as shipped with b2evolution since version 1.6. So, in effect, this security issue affects all versions of b2evolution since 1.6.
The good news is that it is very easy to secure your b2evolution installation before it gets hit by an attack: just delete the Movable Type Importer (you don't need it. It is only used *during* the import if you have migrated from MT to b2evo).
In b2evo versions 1.x, delete this file from your server:
In b2evo versions 0.9.x, you don't need to do anything, you're not affected by this issue. Your version is aging though, and you should consider upgrading as soon as we release 1.8.6.
Older versions: you are not affected by this issue, however your version is so old that you may be affected by other issues. It is strongly advised to upgrade.
Thanks ! :)
- Versions 0.9.x are NOT affected. :)
- If your PHP (php.ini) is properly configured with
register_globals = Off, you are NOT affected. :)
- If your PHP (php.ini) is conservatively configured with
allow_url_fopen = Off, you are NOT affected either. :)
- We will release a fixed update of 1.x (version 1.8.6) later tonight.
In the meantime, if you are unsure, please delete the import-mt.php file.
Fixed releases (1.8.6 and 1.9.1) are ready (and downloadable from SourceForge if you’re in a hurry) but we’ll double check them tomorrow.
Thanks for the super-quick corrective actions!
Does this mean that you don’t need to delete the import-mt.php file in versions 1.9.2 onwards?
Yes versions 1.9.2 and above are perfectly safe. No need to touch mt-import in these.