The release of EQdkp Plus 2.3.20 from the 06th of November brings a few changes and new improvements:
- Fixed a security vulnerability
- Some other small improvements and further hardening
- Some bugfixes
- php Version 7.1 and greater
- 64MB RAM for php, better 128MB
- zLib enabled (zip)
- safemode disabled (recommended, otherwise you can use the FTP-Mode)
- curl enabled
- fopen enabled
- autoload enabled
- openssl enabled (optional)
- On Windows Server increased ThreadStackSize to 8388608
Download EQdkp Plus 2.3.20:
FAQ for the Security Vulnerability
Version 2.3.20 was released on November 6th, which fixes a security vulnerability, contains further hardening measures and fixes additional bugs. The security vulnerability may allow data to be read from the database.
Which verions are affected?
2.3.17 - 2.3.19
How did you find out about this vulnerability?
An external security researcher reported this to us on November 6th at our Security Bugtracker section, in a responsible disclosure manner. Thanks to inc0x0 for this.
How did this vulnerability arise
When assembling an SQL statement, user provided values were not validated correctly. This part was overseen during the move towards Prepared statements and was not changed in a 4 year period. A (not harmful) pull request at GitHub was this issue vulnerable.
Are there updates that fix the vulnerability?
Yes. 1.5 hours after we have received the vulnerability report we had our fixes ready and packages have been built and distributed using the Live-Update. All versions from 2.3.20 and above are not vulnerable anymore. We also released version 2.2.26 to fix this issue for the 2.2 branch, even if this branch was not vulnerable.
Was an attacker be able to steal sensitive data?
No. The email addresses of you users are encrypted in your database. Also, all passwords are hashed using state-of-the-art bcrypt mechanism, or are encrypted. Also, sensitive data like 2FA secrets are only stored in an encrypted way in the database.
Was an attacker be able to add malicious code?
No. We do not save PHP or Template Code in the database.
What have you done to prevent a vulnerability like this in the future?
There is no 100% warranty to prevent security bugs. However, we went through all of our code again, consistently relying on prepared statement where they have not been used before. Also, we added code that will automatically apply security.
Why has this news not been released earlier?
Since no public exploit of this vulnerability was known, we wanted to be sure that your EQdkp Plus installations are patched before information about the vulnerability becaomes public. Since now only a few vulnerable EQdkp Plus installation are still vulnerable, we are now able to release this news.
If you like EQdkp Plus and our work, please think about supporting us.