Author Topic: Security Patch for ALL VERSIONS of nBill  (Read 9076 times)

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Security Patch for ALL VERSIONS of nBill
« on: 05/November/2010, 05:14:50 PM »
A new directory traversal issue has been discovered in nBill, affecting ALL VERSIONS. ALL users of nBill must apply the appropriate patch. I will reply to this topic with the relevant patch files for each version.

Please Note: This vulnerability is currently being actively used by hackers to try to retrieve sensitive information from servers where nBill is running. In most cases, if your server security is tight (open base_dir restriction in effect, or suPHP in use), the effects should not be serious, however it is important that you patch your installation as soon as possible. If you are not already running the latest version (2.0.9 standard edition, 2.0.10 lite edition, or 1.2_10), you must upgrade first, then apply the appropriate patch below.
« Last Edit: 05/November/2010, 05:28:18 PM by netshine »

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #1 on: 05/November/2010, 05:15:51 PM »
For nBill 2.0.9 Standard Edition, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #2 on: 05/November/2010, 05:18:10 PM »
For nBill 2.0.10 LITE edition, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #3 on: 05/November/2010, 05:24:55 PM »
For nBill 1.2_10, please replace the following files with the attached:

/administrator/components/com_netinvoice/admin.netinvoice.php
/components/com_netinvoice/netinvoice.php

[attachment deleted by admin]

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #4 on: 05/November/2010, 05:41:58 PM »
For the version 2.1.0 BETA release, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

Offline Antoine

  • Sr. Member
  • ****
  • Posts: 154
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #5 on: 17/November/2010, 01:12:19 AM »
Are the current downloadable versions already patched ?

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #6 on: 17/November/2010, 10:06:01 AM »
Yes

Offline snaffle

  • Full Member
  • ***
  • Posts: 31
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #7 on: 25/November/2010, 08:28:11 AM »
Hi there,

I've just downloaded the patch files for the Standard Edition 2.0.9 and I get the following error on my front end forms after uploading them...

The encoded file /var/www/vhosts/domain.com/httpdocs/components/com_nbill/nbill.php is corrupt.

I've changed the domain name as I didn't want to advertise I'm running nBill if there's a security flaw :-)

Any ideas why I might be getting this message?

Thanks

Nathan

Offline netshine

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,282
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #8 on: 25/November/2010, 08:32:35 AM »
One or two people seem to have had problems with downloading the patch files from the forum. This might be because the forum software scrambles the files and puts them back together again for download (works fine for most people though). I suggest you try downloading the whole component (from here: http://www.nbill.co.uk/component/option,com_docman/Itemid,10/task,cat_view/gid,11/), unzip it on your computer, and just upload the nbill.php file.

Offline snaffle

  • Full Member
  • ***
  • Posts: 31
    • View Profile
Re: Security Patch for ALL VERSIONS of nBill
« Reply #9 on: 25/November/2010, 09:41:23 AM »
Thanks, those method work fine.