Important Newscoop Security Announcement.
  • Vote Up0Vote Down Adam ThomasAdam Thomas
    Posts: 313Member
    We were made aware of a Newscoop vulnerability just before 1200 CEST today (Thursday Dec 6th 2012). This potentially affects all users of Newscoop 3.5.0 up to Newscoop 4.0.2.

    The vulnerability exploits the Admin interface’s password restore. Exploitation of this allows attackers to gain Admin access to the site, so     immediate action is required.

    This quick failsafe fix should be applied immediately.

    How To

    1) Login into Newscoop
    2) Configure > System Preferences
    3) Set ‘Allow password recovery’ to No

    This vulnerability does not affect those who already had set Allow password recovery to No.

    All Sourcefabric customers are already protected and need to take no action.

    If you are unsure of how to apply this fix or whether you affected, please mail contact AT sourcefabric DOT org immediately.

    We’re working on a update patch and will let you know here as soon as it is ready. Please subscribe to this forum via mail or follow @Sourcefabric for updates.

    Thanks, Adam
  • 3 Comments sorted by
  • Vote Up0Vote Down OscarOscar
    Posts: 59Member
    Hi:

    Thank you for the notice.


    Post edited by Oscar at 2012-12-06 14:35:52
  • Vote Up0Vote Down Adam ThomasAdam Thomas
    Posts: 313Member
    Quick update. Newscoop 4.0.3, which will include a fix for this security issue, should be out later this week. We'll keep you posted.
  • Vote Up0Vote Down Adam ThomasAdam Thomas
    Posts: 313Member
    Newscoop 4.0.3 is out now and it fixes this issue. Here's the release info and upgrade/download instructions.

    Once successfully upgraded, you can reverse the quick fix recommended above.

    1) Login into Newscoop
    2) Configure > System Preferences
    3) Set ‘Allow password recovery’ to Yes

    Any questions on this, please just ask.
This discussion has been closed.
All Discussions