[SPT/CWIS] IMPORTANT - SPT/CWIS Security Patch

Edward Almasy ealmasy at scout.wisc.edu
Wed Jun 28 22:22:10 CDT 2006 

    A security exploit in SPT and CWIS 1.4.0 was
    discovered and published last night.  It does
    not provide server-level access, but it may allow
    an attacker to learn passwords for one or more
    SPT/CWIS accounts, including those with SPT/CWIS
    administrative privileges.


    We STRONGLY advise anyone running an SPT or CWIS
    1.4.0 site to immediately take the following steps:

      1 - Copy the Axis--User.php file from the
        attached security patch file into the base
        directory of your SPT or CWIS installation,

      2 - Copy the remaining five files in the
        attached security patch file into the
        "include" directory of your SPT or CWIS
        installation, and

      3 - Change the passwords on any logins to
        your SPT- or CWIS-based site that have
        administrative or editing privileges.

    The exploit is not strictly limited to accounts
    with administrative privileges, but as it in part
    involves brute force cracking of an encrypted
    value (a very resource-intensive operation) for
    each compromised password, it is our belief that
    specific administrative accounts, and the initial
    administrator account in particular, are the most
    likely targets.

    (Please note that the passwords in question are
    those used to log in to the SPT/CWIS-based web
    site, not those for shell or database access.)


    The MD5 checksum for the patch file is:
        01c462c6d6a2fd5baf04f5b0f4cd2bba

    IMPORTANT:  If you are running a version of SPT
    or CWIS prior to 1.4.0, we STRONGLY advise that
    you upgrade your site to 1.4.0 and apply the patch
    as above.  The published exploit or some variant
    will also affect earlier versions, and those earlier
    versions may have additional security issues
    addressed by 1.4.0.

    If you are aware of someone running an SPT- or
    CWIS-based site that may not have read this note,
    please do not hesitate to pass it along to them.

    Ed



-------------- next part --------------
A non-text attachment was scrubbed...
Name: SPTCWIS_1.4.0_Patch20060628.zip
Type: application/zip
Size: 12993 bytes
Desc: not available
Url : http://www.scout.wisc.edu/pipermail/spt-cwis-users/attachments/20060628/32901b1f/attachment-0001.zip 
-------------- next part --------------



---
    Edward Almasy                                      
ealmasy at scout.wisc.edu
    Co-Director                                         1210 W Dayton  
Street
    Internet Scout                                          Madison  
WI 53706
    Computer Sciences Department                        608-262-6606  
(voice)
    University of Wisconsin - Madison                      
608-265-9296 (fax)

More information about the SPT-CWIS-Users mailing list