Security Note 10

08/11/2017

Security issue details

There is a serious security problem found in aMember Pro. It affects all aMember Pro versions from 4.0.0 to 5.3.0 (except 5.3.1 released today).
aMember Pro v.3 and earlier are not affected by this issue.
It is necessary to take actions against this and protect your aMember installation. We understand that upgrading to the latest version is not an easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. Just follow fix instructions as described below.

Problem details

This vulnerability has been reported by one of our customers. The problem is a potential SQL vulnerability.

Methods of protection

Method 1 – Upgrade to latest aMember release

Upgrade to version 5.3.1. You will see notification in aMember admin area (if you do not see it right now, it will appear after 2 hours or earlier). Or follow manual upgrade instructions.

Method 2 – Update file

Download a quickfix file and upload to your installation. Please check your WordPress installation to make sure everything works smooth after update.

Contact Us

As always, you can ask us any questions via aMember HelpDesk. Because of the high volume of tickets, it may take up to 48 hours to respond on this week. We are sorry for possible inconvenience.

Security Note 09

03/28/2017

Security issue details

There is a potential security problem found in aMember Pro. It affects all aMember Pro versions from 4.0.0 to 5.2.1 (except 5.1.9 released today).
aMember Pro v.3 and earlier are not affected by this issue.
It is necessary to take actions against this and protect your aMember installation. We understand that upgrading to the latest version is not an easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. Just follow fix instructions as described below.

Problem details

This vulnerability has been reported to CGI-Central and is not widely known. We have no information about existing exploits for this problem.
This problem is an XSS vulnerability. Fortunately, because of additional protection added to aMember, it DOES NOT ALLOW to steal sensitive information, get customer details or run custom PHP code on your website. However, we anyway recommend to take actions as soon as possible to fix the problem.

Methods of protection

Method 1 – Upgrade to latest aMember release

If you are using aMember Pro (stable) – upgrade to version 5.1.9
If you are using aMember Pro (beta) – upgrade to version 5.2.2

Method 2 – Update file

If you are running a customized version of aMember, please follow instructions listed on this page (available to aMember Pro customers only).

Contact Us

As always, you can ask us any questions via aMember HelpDesk. Because of the high volume
of tickets, it may take up to 48 hours to respond on this week. We are sorry for possible inconvenience.

PayPalFix for v3

01/30/2013

First off, this article is about aMember Pro version 3. aMember Pro version 4 is not affected by this issue and may not be affected.

What is happening?

Starting from Feb 01, 2013 PayPal is going to change their servers configuration. They require IPN validation scripts to use HTTP/1.1 instead of HTTP/1.0 as they advised many years ago. This problem may cause problems with the following version of aMember Pro v3:

  • All aMember installations with version 3.0.6 and below are affected
  • Most aMember installations with version 3.0.6 and above are NOT affected. There will be a problem only if your webhosting has no curl PHP extension enabled, which is rare nowadays. To be sure, just follow the same instructions below.

To fix the issue, please follow simple instructions below.

How to fix

  1. Ftp into your web-hosting server and open /amember/plugins/payment/paypal_r/ folder.
  2. Download paypal_r.inc.php to your computer and make a backup copy of this file.
  3. Open paypal_r.inc.php with your favorite text editor (notepad, not MS Word!) and find this string:
    function paypal_validate_ipn($vars){
    below find this code block:

    $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
    $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $header .= "Content-Length: " . strlen ($req) . "\r\n\r\n";

    change it to (changes is outlined in blue):

    $header .= "POST /cgi-bin/webscr HTTP/1.1\r\n";
    $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $header .= "Host: www.paypal.com\r\n";
    $header .= "Content-Length: " . strlen ($req) . "\r\n\r\n";
  4. Upload modified paypal_r.inc.php to your server to replace existing file
  5. Watch carefully for new payments and rebills

Still have questions?

If there are still any questions regarding this, please post to the special forum thread. If there is a really urgent question, you may contact us via helpdesk.

Time to upgrade

Are you still using aMember Pro v3? You may know we have released aMember Pro v4 year ago, but it is hard to belive how much it is different! Read more about aMember Pro v4. v4 is now absolutely stable, we have ported all popular plugins, and yes, we can help with upgrade.

WordPress Membership Software – aMember Integration

04/11/2012

The aMember/WordPress integration is not performed like a typical WordPress plugin solution. aMember is a stand alone membership program that is installed on the same server as the WordPress installation. aMember should be installed in a sub directory of the website. The sub directory can be named anything but in the examples shown in this documentation it will be named “amember”. WordPress can be installed in a sub directory or the root of the website.

After the integration, all site registration, user authentication, and profile information is controlled by the aMember program. Therefore, the following steps should be strictly followed.

The WordPress registration system must be disabled, which is covered in detail on this page.
To keep the aMember user database and the WordPress user database in sync, all registrations must be performed on the aMember Signup Page. This means you need to provide a link to the signup page from at least the home page. This is typically done by placing the aMember Widget in the sidebar of the homepage.
Users should login and logout through aMember. This is typically done by placing the aMember Widget in the sidebar of the homepage.
Users should make changes to any information collected by aMember (name, password, email, address, etc) from within aMember. Logged in users are provided a link to their profile edit page in the aMember Widget. Do not allow users to change any profile information on the WordPress side (many profile page and social networking plugins provide links to a users profile edit page on the WordPress site – these should be avoided).

New features in aMember Pro v4

11/30/2011

Welcome aMember v4!

There is very long list of changes, so we will try to be brief:

  • (new) Automated upgrade/downgrade handling has been implemented. Users may change their subscriptions!
  • (new) Amazon S3 support for hosting files and video
  • (new) Built-in FlowPlayer to host protected video files for your members
  • (new) Newsletter module integrates with MailChimp, ActiveResponderPro, ActiveCampaign, ARP, AWeber, IContact, GetResponse, Interspire and ListMail
  • (new) Subusers plugin allows reselling of your services, and selling access “packages”. read more…
  • (new) Implemented REST API module for easy integration
  • Completely reworked code and design
  • Uses Zend Framework and HTML_QuickForm2 libraries
  • Supports themes for admin and user pages. Themes can have configurable values, for example, to define custom colors
  • New WordPress integration only needs several mouse clicks to setup, and you can protect posts in WordPress making it available for paid users only, and you can even use WordPress theme in aMember!
  • Facebook integration built-in
  • Configurable multi-page signup and profile forms (aMember CP -> Forms Editor)
  • The same (customizable) signup form is now used to bill both new and existing customers
  • Products may have several “Billing Plans” defined. You do not need to create new products to provide monthly and yearly billing.
  • Reworked, normalized database structure. It is ready now for advanced reporting and other important features
  • No plain-text passwords stored in database. We have invented a special technique so that plain-text passwords no longer need to be stored and third-party scripts integrations is still possible.
  • aMember CP -> Content page allows you to control all kind of protected user content from one page: files (uploadable via browser), folders, pages (editable in browser), links and autoresponder/expiration e-mail messages. Without using any additional plugins, you can define access to be provided after a specified number of days one the the subscription is started.
  • All tables within aMember CP uses our own unique grid component. It supports paging, filtering, sorting, AJAX updating and running different actions on records.
  • User grid within aMember CP allows you to filter users based on numerous criteria. For example you can select records from New York city, having active subscription to Product XX and having no expired subscription to Product YY. When records are found, you can browse and run actions on these records – for example, you can delete them, lock them, or send an e-mail message to all the users. You can also save the User Search so it is quickly available to run another day.
  • Product Categories implemented – This is useful for grouping products in the admin control panel, grouping them in the Shopping Cart, and defining access permissions.
  • Import script has been completely reworked to simplify the import process with an easy step-by-step interface and a list of helpful hints.
  • E-Mail Users Function has been reworked. It now stores a history of all sent e-mails and allows you to finish interrupted e-mailing, or repeat previous e-mail messages.
  • E-Mail Queue has been implemented, which allows the script to queue e-mail messages into a database so as not to go over limits configured by a web-hosting provider. All outgoing e-mail messages can be logged to the database, for admin review.
  • Reporting engine has been reworked to provide visually appealing graphic reports.
  • Rebuild Db function has been reworked to handle data by portions. When it was tested on 100,000 users database with plugins enabled, it finished in 5 minutes.
  • There is an online interface to translate aMember messages
  • It is possible to localize different strings from the database – for example product names and descriptions can be translated to various foreign languages and if customer selects a specific language, translated titles will be shown in the signup form. We will continue to work toward making aMember ready for multi-language websites.
  • There is a special “Build Demo” function available to fill the Member database with random user records to make testing easier.
  • New “HelpDesk” module. Customers can contact you – create tickets and you may answer them from aMember CP. Customer will be notified about response by e-mail.
  • Recaptcha integration – if configured, can be used in signup forms and will be used if user enters wrong password 5 times instead of delays.
  • New Affiliate Program module – you must see it
  • new affiliate program will now be recording “leads”. So, for any referred customer, you will know what banner or link he clicked, and when hi first came to your website.
  • you can upload affiliate banners, marketing materials, and lightboxes right from admin interface
  • flexible, rule-based affiliates commission configuration possible. You can define commission based on product, affiliate sales last month, and on other parameters.
  • do not ask for configured signup form bricks for some payment processors – not yet enabled, but cool feature. If we know we will receive customer name from payment processor, name fields will be hidden in signup form, and automatically filled-in after payment. This makes signup form shorter, and this always increase sales.
  • create user/invoice/payment based on transaction (if enabled for payprocessor) – well known and popular v3 feature is implemented for v4
  • profile form – email confirmation required before the e-mail address is changed in profile
  • admin interface can be completely translated to foreign languages
  • multi-currency handling – even if you selling in different currencies, you define exchange rates to date, and you will get correct reports in “base currency”
  • implement partial refunds
  • Export option implemented – on bottom of grid, click “Export” link and you can receive data in CSV or XML format – for all table, or for filtered dataset – on your choice
  • allow access after expiration – for any content item (see “Manage Content”) you can set expiration date to “forever”. In this case customer will have access to the item, even when his subscription expires.
  • import new e-mail templates on upgrade – e-mail templates for modules are stored in xml files and imported on setup. Additional modules may define its own e-mail templates.
  • automated upgrade/plugin installer – aMember Pro has now automated upgrade system like one implemented in WordPress. This will make site maintenance lot easier

Interested? Look at detailed, illustrated by screenshots, features list, try online demo, or watch learning videos

Upgrading from aMember Pro version 3

It is good time to upgrade your aMember v3 to v4. Upgrade instructions are available.

How much does upgrade cost?

To reward our loyal customers, we do not set any special upgrade price for this major upgrade. If you ordered aMember Pro less than 6 months ago, or if you have active “Upgrades&Support” subscription, so you do not need to pay extra. Just login into members area and you may download new version to play with it.

If your subscription is expired, you may order “Upgrades&Support” subscription within members area, it is only $80 for 12 months, starting from the date of purchase. Amount is the same no matter if you own 10 or 100 aMember Pro licenses.

Special! If you order new aMember Pro license, you get another 6 months of upgrades for free, and these updates can be used for your existing websites too!

Security Note 08

07/23/2011

Security issue details

There is a serious security problem found in aMember Pro. It affects all aMember Pro versions from 3.1.7 to 3.3.0. It is absolutely NECESSARY to take actions agains this and protect your aMember installation.
We understand that upgrading to latest version is not easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. Just follow fix instructions as described.

Problem details

This vulnerability has been reported to CGI-Central (brought to our attention by ‘sku’) and is not widely known. We have no information about existing exploits for this problem. So we would like to delay disclosure of details for several days, to give all our customers chance to close the hole.

Methods of protection

Method 1 – Delete vulnerable file

It is very easy and it is RECOMMENDED method of protection if you are not using webaffair payment plugin.

If you are not using aMember’s webaffair payment plugin, just ftp to your website, and remove file named amember/plugins/payment/webaffair/ipn.php.

That is all. You are protected and safe.

Method 2. Update file

ONLY if you are using webaffair payment system, contact aMember Pro support team via helpdesk
to get updated file, then upload the file to amember/plugins/payment/webaffair/ipn.php
That is all. You are protected and safe.

Security Note 07

07/12/2011

Security issue details

There is a serious security problem found in aMember Pro. It affects all aMember Pro versions to 3.2.3. It is absolutely NECESSARY to take actions agains this and protect your aMember installation.
We understand that upgrading to latest version is not easy alternative for customers running old versions of aMember, so upgrade is NOT NECESSARY. Just follow fix instructions as described.

Problem details

This vulnerability has been reported to CGI-Central and is not widely known. We have no information about existing exploits for this problem. So we would like to delay disclosure of details for several days, to give all our customers chance to close the hole.

Methods of protection

Method 1 – Delete vulnerable file

It is very easy and it is RECOMMENDED method of protection if you are not using affiliate program features of aMember.

If you are not using aMember’s built-in affiliate program, just ftp to your website, and remove file named aff.php. Please do not delete file named aff.inc.php.

That is all. You are protected and safe.

Method 2. Update file

If you are using aMember Pro 3.1.8 or later:

  1. download aff.php file
  2. ftp to your website, go to amember folder
  3. upload file aff.php, replacing existing file on your website.

That is all. You are protected and safe.

Updating older version

If you are using aMember Pro version 3.1.7 or earlier, and you are using affiliate program features of aMember, there are 2 ways to go:

  • Upgrade to latest version (3.2.4 or 3.3.0BETA)
  • Contact CGI-Central support via helpdesk, and attach your existing file aff.php. We will respond you with fixed file.

aMember Pro 3.2.3 (new features) released

10/14/2010

Release target: bug fixes, improvements, new plugins
Changes since 3.1.9

3.2.3 (Oct-13-2010)
- New payment plugins: bluepay_r, mpay
- New setting for Incemental Content plugin: Allow users to use links that was realeased while product was active after expiration of product
- Several Modifications in language files.
- Payment plugins fixes: twocheckout_r, paycom, paypal_pro,1shoppingcart, ogone, clickbank
- Integration plugins fixes: incremental_content, invision3,oscommerce,subusers
- Allow to create new users option for 1SC plugin (works for not recurring payments only)
- Ability to add tabs in member's area from plugins or site.inc.php
- Added separate signup email template for affiliates
- Login as user functionality for aMember CP.

3.2.2 (Sep-08-2010)
- Integration Plugin fixes: phpBB3, subusers,
- Payment plugins fixes: paypal_r, google_checkout,quickpay,mydosh,twocheckout_r
- "Allow to add users from IPN messages" Clickbank and paypal plugins now use that new functionality

3.2.1 (Aug-27-2010)
- Payment plugins fixes: paypal_r
- Integration plugins fixes: 4images
- New hooks defined to manage design.
- Helper functions for templates implemented.
- Change affiliate UI fixes.

3.2.0 (Aug-25-2010)
- Fixed security issue
- New payment plugins:
fastspring, plimus, clear2pay, paynl, netbilling_form,
pay900, dibs, securepayau, premier_ps, mydosh
- New integration plugins: silverstripe, smf2, pap, sendpepper, mybb
- jQuery updated to v1.4.2
- Payment plugins fixes:
gtbill, paypoint, clickbank, google_checkout, beanstream_remote,
quickpay, segpay, authorize_cim, sagepayments, cc_core, paypal_r,
paypal_pro, alertpay, moneris, zombaio,
- Integration plugin fixes:
vbulletin, joomla(added Jomsocial support), invision3, smf,
mambo, drupal, wordpress, bbpress, 4images, discus, openrealty,
pmd, isoft, subusers
- Impemented suggestions from this thread http://www.amember.com/forum/showthread.php?p=44712, to make integration with wordpress theme more easy
- Several fixes in templates and core aMember files.
- Fixed issue with coupons not being applied to products with free trial
- "Confirm email" function when email changed in profile
- Several modifications related to taxes. Added tax calculation for payments that being added manually from amember CP. Added tax value to payment reports.
- Implemented price groups for additional fields, now possible to include field depends on price_group on signup and profile pages.
- Japanese language support added
- New report for cancelled users
- Added support of multiple PayPal accounts (per product)
- Added ability to create an account after direct payment on PayPal (experimental)
- Added small payouts report to affiliate area
- Fixed several bugs in newsletters
- Change affiliate and assign affiliate functionality added in aMember CP
- Added "Affiliates" filter to amember CP -> Browse users
- Referred users report for each affiliate in aMember CP
- New plugin that allows to add additional subscription to user's account when user purchases a product
- New config option : Number of days for payment report on admin index page

aMember Pro <-> Facebook integration gate has been developed

07/08/2010

Rob Woodgate just reported that Facebook Connection plugin for aMember has been developed.

  • Members could login to their account on your site using their Facebook ID and new members have their signup form prefilled with information from Facebook!
  • Your Facebook members can share status updates about your membership site with their friends!

Please have a look to the forum post and to the plugin author website.

WordPress plugin is now free

07/02/2010

We are happy to announce that our most popular integration plugin – WordPress is now free ($40). Also, please have a look to beta of another WordPress integration plugin we are developed – it is even easier to use and more powerful.