aMember Pro

Security Note 03

08/31/2006

Security issue details

There is a minor security problem (XSS flaw) found in aMember Pro. It affects all aMember Pro versions before 3.0.4. This problem is not urgent and cannot directly lead to hack of your website without your invention. However, it is anyway necessary to take actions against it. Fortunately, it is very easy and quick to do. For customers running old versions of aMember upgrade is NOT NECESSARY, not required, and will not make your website more secure. Just use on of patching methods below – it is quite enough.

Problem description

There is an XSS problem found in aMember. A hacker may inject some bad JavaScript to headers and it will be executed when you are viewing aMember CP -> Access Log, or aMember CP -> Error Log. Descibed thing may ONLY happen if:

• a “hacker” really makes it;
• you access aMember CP logs while the injected message appears;
• the hacker uses received information to login into aMember CP as admin.

It is impossible to hack your website and find out password without your invention.

Methods of protection

Method 1. Securing existing installation by replacing files

Please do the following:

1. Download security patch, unpack it and using a FTP client upload 3 files to amember/templates/admin/ folder, replacing existing files access_log.html, error_log.html and user_access_log.html.
2. Once files are replaced, your site is secure again.
3. If there are any problems with these steps, feel free to contact CGI-Central Support Team via helpdesk: https://www.amember.com/support/

Method 2. Upgrade to aMember pro 3.0.4 (not required if you follow method 1

If you want to stay recent, you may download and upgrade to latest version from members area. Full changelog will be published in the forum within 48 hours after this notice.

Please note, that CGI-Central staff is unable to make upgrades for free. Upgrade procedure described here.