Security Patch for ALL VERSIONS of nBill

[netshine]

A new directory traversal issue has been discovered in nBill, affecting ALL VERSIONS. ALL users of nBill must apply the appropriate patch. I will reply to this topic with the relevant patch files for each version.

Please Note: This vulnerability is currently being actively used by hackers to try to retrieve sensitive information from servers where nBill is running. In most cases, if your server security is tight (open base_dir restriction in effect, or suPHP in use), the effects should not be serious, however it is important that you patch your installation as soon as possible. If you are not already running the latest version (2.0.9 standard edition, 2.0.10 lite edition, or 1.2_10), you must upgrade first, then apply the appropriate patch below.

[netshine]

For nBill 2.0.9 Standard Edition, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

[netshine]

For nBill 2.0.10 LITE edition, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

[netshine]

For nBill 1.2_10, please replace the following files with the attached:

/administrator/components/com_netinvoice/admin.netinvoice.php
/components/com_netinvoice/netinvoice.php

[attachment deleted by admin]

[netshine]

For the version 2.1.0 BETA release, please replace the following files with the attached:

/administrator/components/com_nbill/admin.nbill.php
/components/com_nbill/nbill.php

[attachment deleted by admin]

[Antoine]

Are the current downloadable versions already patched ?

[netshine]

Yes

[snaffle]

Hi there,

I've just downloaded the patch files for the Standard Edition 2.0.9 and I get the following error on my front end forms after uploading them...

The encoded file /var/www/vhosts/domain.com/httpdocs/components/com_nbill/nbill.php is corrupt.

I've changed the domain name as I didn't want to advertise I'm running nBill if there's a security flaw :-)

Any ideas why I might be getting this message?

Thanks

Nathan

[netshine]

One or two people seem to have had problems with downloading the patch files from the forum. This might be because the forum software scrambles the files and puts them back together again for download (works fine for most people though). I suggest you try downloading the whole component (from here: http://www.nbill.co.uk/component/option,com_docman/Itemid,10/task,cat_view/gid,11/), unzip it on your computer, and just upload the nbill.php file.

[snaffle]

Thanks, those method work fine.