WHM AutoPilot Security Release [ Plus Upgrade Instructions ]

• Previous message: beniwiedmer_at_tiscali.ch: "Cross Site Scripting DOS (Zyxel B-420 Ethernet Bridge)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>, "OSVDB" <moderators@osvdb.org>, "Secunia Research" <vuln@secunia.com>
Date: Fri, 31 Dec 2004 06:34:24 -0600

The owner and lead developer of the software Mr Brandee Diggs would like me
to inform the masses that a new version of WHM AutoPilot is out and resolves
the critical WHM AutoPilot security issues. Below are specific details given
by Mr Diggs on how to upgrade your installation. Great job by the
development team to get these holes patched quickly! :)

#################################################

RELEASE: v2.5.0
Release Level Rating: HIGH ( Security Release )

Database Update required: Yes [ maintenance_v250.sql ]

This will increment your version to v2.5.0[s]

Release Date: December 29, 2004

### BUGS RESOLVED ###

[1] Internet Secure not passing through coupon discounts
[2] WorldPay[2] errors passed to gateway
[3] New "Offline Credit Card" gateway added
--> this gateway automatically sets orders to pending

### ISSUES ADDRESSED AND RESOLVED ###

[1] File Include Vulnerability
[2] Cross Site Scripting (XSS) Vulnerability
[3] Information Disclosure
--> after installation, please delete the phpinfo.php file so that your
server information is not public information

Upgrading to this release will resolve all issues brought to our attention
by James at GulfTech.org. We have had this
reviewed by James and has been verfied to be 'closed' and corrected.

#################################################

Since our upgrade of Zend Encoder, all encrypted files will require Zend
Optimizer v2.5 or higher active on your server.
If you are running PHP v4.3.10, please make sure you are running Zend
Optimizer 2.5.7

Due to the nature of this release, every file has been altered or modified
and a FULL file overwrite is required.

========================================
UPGRADE & FILE INFORMATION
*** UPLOAD IN BINARY OR ERRORS WILL OCCUR ***
========================================

Estimated Time: between 15 - 45 minutes ( take your time )

[1] Login to your license management area OR obtain the full download
release from your license provider. Some licensees
have obtained licenses from their webhost without access to the downloads.
This download will need to be provided by
your provider or, they will need to authorize us to modify the license to
your information.

[2] make a backup of the following files in your current installation:
/inc/header.php
/inc/footer.php
/inc/var.php ( just in case )

[3] Upload ALL files & folders from the full download to your installed
location, overwriting ALL files with the new
files.

Due to the nature of this release, we have reactivated the 'Quick File
Transfer' option to allow you to have all the
files transferred directly to your site, in guaranteed BINARY mode. For
this utility, visit the follow url:

http://www.whmautopilotlicensing.com/d/quickup/index.php

user: autopilot
pass: upgrade

*** THIS UTILITY WILL OVERWRITE EVERY FILE IN YOUR INSTALL - BACKUP
CRITICALS FIRST ***

[4] login to your cPanel and run the MySQL updates against your database
---> click on MySQL databases
---> click on link to phpMyAdmin
---> select your database on the left
---> click on export and at the bottom, choose save as and click GO ( save a
local backup )
---> click on the SQL link at the top

*** FTP TO YOUR SITE AND GRAB THE SQL FOLDER IF YOU USED THE TRANSFER
UTILITY ***
*** DELETE THE SQL FOLDER AFTER YOU HAVE DOWNLOADED IT FROM YOUR DOMAIN ***

---> Locate maintenance_v250.sql in the SQL folder of the download and click
GO

If you are running a version OLDER than v2.4.7:

*** Begin to walk up through versions from your previous version to this
version in database updates in the SQL folder
***

Example:
If you are running v2.4.33, you will walk up the following SQL updates, in
order:

1) maintenance_v245.sql
2) maintenance_v2451.sql
3) maintenance_v2453.sql
4) maintenance_v2456.sql
5) maintenance_v246.sql
6) maintenance_v2465.sql
7) maintenance_v247.sql
8) maintenance_v250.sql

Remember to run this in the proper order so that incremental updates &
changes are applied to the proper tables at the
proper time.

For those who are uneasy in completing upgrades to their installation, we do
provide upgrade services, at a rate of
$9.95 per installed upgrade. These upgrades are not completed right away
after they are requested but are scheduled for
completion normally during 'slow' or 'moderate' times of the day as to not
disrupt your ordering system. These are
normally done between 11pm - 2am and 9am - 11am EST. If you have an upgrade
request in the system, bump it now if it
has not been completed.

To request an upgrade to be performed on your installation, please utilize
the following steps:

1) make a payment in the amount of $9.95 to paypal@whmautopilot.com with the
MEMO line reading 'upgrade from x.xx
version to v2.5.0' along with your license number.

2) visit https://www.whmautopilot.com/support/ and submit a helpdesk request
for the installation to the department of
'Upgrade Requests' with the following:

---[1] Current Version of Script
---[2] FTP/cPanel login information
---[3] admin area login information
---[4] receipt from PayPal showing payment has been made

Your request will be confirmed with a canned response and will be schedule
to be completed within a moderate amount of
time. Some will be completed within the same day, others will be completed
within 2 - 3 days, depending upon scheduling.

If you have paid for an upgrade that has been completed within the past 10
days, an upgrade to this version will not
cost you any extra.

Remember, bugs must be reported to the bug tracking system in order to be
reviewd and resolved. Bugs reported in the
forums do not get as much attention as bugs in the tracking system. Also,
note, a bug is something that can be
reproduced on ALL installations. Please do not use the bug tracking system
as a support system.

I appreciate everyones patience.

May your New Year be safe, happy and prosperous!

Thank You.

Respectfully,

Brandee S. Diggs
Owner / Developer
Benchmark Designs, LLC.

+++++++++++++++++++++++++++++++++++++++++++++++

Please do not reply to this email - replies are
not reviewed or received by human eyes.

You are receiving this email because you either have a
license to one of our products or asked us to keep you up
to date on any news regarding our products.

To remove yourself from future mailing, click the link below.

http://www.autopilotupgrades.com/newsletter/remove.php?u=46c9fff
+++++++++++++++++++++++++++++++++++++++++++++++

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.6 - Release Date: 12/28/2004
 

• Previous message: beniwiedmer_at_tiscali.ch: "Cross Site Scripting DOS (Zyxel B-420 Ethernet Bridge)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]