jDownloadsownloads.com


Author Topic: Security events / anonymous uploaded files  (Read 1939 times)

0 Members and 1 Guest are viewing this topic.

Offline rob

  • Newbie
  • *
  • Posts: 2
Security events / anonymous uploaded files
« on: 13.05.2015 10:51:12 »
Hi, just by chance we found out, that somebody made it to upload zip-files to our server via jdownloads in the jdownloads categroy folder, and by a simple google query we can see that we are not alone.
On May 09 and May 11, somebody naming himself "fullmagic" uploaded two zip-archives (161 byte each) to a category as an unpublished download. The short description is filled out with "mari makan", the download title is "rfdhng".
A Google search for "jdownloads rfdhng mari makan" shows a few pages with the same download on them so you can see examples. Seems to be a really new thing, all results in the last week, there's no other discussion about it.

We are sure that's a security bug. How could that be possible?

System data:
- Joomla! 3.3.3
- jDownloads 1.9.2.10 Beta (we know there are updates but we don't know if this bug is fixed there)

We're updating now, this post here is just to inform you and perhaps to get some information back.
Thx

Offline ColinM

  • jD Tester
  • *
  • Posts: 3.666
Re: Security events / anonymous uploaded files
« Reply #1 on: 13.05.2015 16:59:07 »
Hi
Thanks for the input.   Version 1.9.2.11 was a security release to fix the sort of bug you are mentioning.  After updating to 1.9.2.11 you would be better to then migrate to the jD 3.2 series. In case you have not found it there is some documentation on the migration.  Note it recommends you update to 1.9.2.11 prior to the migration.

 http://www.jdownloads.net/documentations/item/how-to-upgrade-jdownloads-component-from-1-9-x-to-latest-3-x-version

Please ask if you need any assist
Colin