Bernard Sfez blog and notes

Tiki Express Tutorials, notes or security related informations.
A good part is related to Tiki Wiki, the complete web application builder.
Other are related to the technologies used with my ready-to-use Web Applications.

Drupal modules vulnerability, THE third party plugins issue (again)

Author: Bernard Sfez - Published

Drupal is calling upon its users to patch a dangerous remote code execution hole that can easily let attackers hijack sites. The content management system has some 15 million downloads, compared to WordPress with 140 million and Joomla with 30 million. Drupal is deployed on big ticket and business sites including nine percent of the world’s 10,000 most popular sites.

If Drupal core is not affected and not all sites will be impacted, the issue is again raising the question about third-party modules/plugins/add-ons that are not part of the core (code) but may cause significant damage to the project itself, your users, your business, all your hard work.... It is critical to review published advisories (July 12 2016) to determine if any modules you currently use have been flagged up.

Security update: Tiki 15.2, Tiki 14.4 and Tiki 12.9 released!

Author: Bernard Sfez - Published

The Tiki Community has released updates to all current versions of Tiki Wiki CMS Groupware. This update addresses a critical vulnerability found in third-party code that is included with Tiki. The update also includes many fixes and updates.

Special thanks to Mehmet Dursun İNCE of www.invictuseurope.com and to Robert Abela of www.netsparker.com for their cooperation and assistance in reporting the security issues.

We highly encourage all Tiki administrators to update their sites to the latest Tiki versions: Tiki 15.2, Tiki 14.4, and Tiki 12.9 LTS.

Visit https://tiki.org/Download to update the latest version.

Tiki Wiki 15 successfully launched

Author: Bernard Sfez - Published

I’m pleased to announce the release of Tiki Wiki 15, the latest LTS (Long Term Support) version of Tiki Wiki CMS Groupware.
Tiki Wiki15 brings numerous new features, enhancements and bug fixes and completes the transition to the Bootstrap framework for easy theming and smart device full support.

As the release manager of this version I can proudly say that the team did a very impressive work to deliver a very stable and free bug version of Tiki Wiki CMS. We did more than our best to track and fixe regressions as well as bugs and already hundreds several (as well as bsfez.com of course) have been successfully upgraded and are production. After 20 days of intensive usage I can confirm that this release of Tiki Wiki kept its promises to deliver to our broad user and customers base a robust web application they can rely on.

Tiki Wiki CMS Groupware 15 is beta !

Author: Bernard Sfez - Published

Tiki next LTS (Long Term Service) generation is almost final and is coming out with excellent report of almost none regression nor problem regarding the dozens of new features and options. With 194 commit between alpha and beta the team successfully nailed all the blockers and improve several key features within Tiki Wiki.

More information about the changes and the new stuff is available at Doc.Tiki
Tiki 15 Beta is available at SourceForge.
If you catch a bug during your install and test, please report at Dev.Tiki.

FortiOS SSH Undocumented Interactive Login Vulnerability

Author: Bernard Sfez - Published

Aoutch... after an "unauthorized" backdoor was found in Juniper Networks firewalls, Juniper's ScreenOS, the first report of a highly suspicious code in FortiOS firewalls has been confirmed and tested as an SSH backdoor that can be used to access its firewall equipment.

This issue affected all FortiOS versions from 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7, which cover FortiOS builds from between November 2012 and July 2014.
Proof-of-Concept exploit code was made available online by an anonymous user (operator8203@runbox.com), who posted the exploit code on the Full Disclosure mailing list this week, helping wannabe hackers generate the backdoor's dynamic password. FortiOS SSH backdoor can be then accessed via the Fortimanager_Access username.

Are DoS attacks just crashing or disrupt your service on the internet ?

Author: Bernard Sfez - Published

From what we are monitoring DoS denial of service (also named DDoS - distributed denial of service) attack are the most usual weapon in the worldwide and middle-east scene. It is cheap, easy to set up and doesn't require much knowledge. IT Admin tend to think that the technique consist only to overload the target servers by increasing exponentially the requests getting into it. But can it really hurts target's business or even disrupt country services for more than a short period of time ?

Beside direct motive like blackmailing/ doing harm to a competitor / political reasons for DoS attack. Are there other, more indirect motives ?
Would it be possible to get data or even control from the service with a DoS attack ?

How Social Media is transforming CRM

Author: Bernard Sfez - Published

It’s big news these days for tech watchers: CRM software stalwarts are rapidly acquiring startups that enable businesses to manage the increasing number and variety of social media platforms better. Oracle (ORCL) bought Vitrue to help it publish and manage social media campaigns, and the company just announced the acquisition of Collective Intellect to help it monitor social chatter. Salesforce.com (CRM) purchased social media performance and sentiment tracking company Radian6 and now is acquiring Buddy Media, a Vitrue competitor.

So there is a big interest between Social Media and CRM and one can not be handled properly anymore without understanding the second.
Here a small and easy to digest approach to understand how it can benefit your business.

Magento and Joomla RCE vulnerability endangering the platforms and their servers.

Author: Bernard Sfez - Published

A critical Remote Code Execution (RCE) vulnerability has been found and confirmed on the e-commerce platform (owned by eBay) Magento. The vulnerability is affecting hundreds of thousands of online merchants worldwide and if exploited, the critical vulnerability could allow a hacker to compromise completely any online store powered by Magento and gain access to credit card details and other financial as well as personal information related to the customers.

The vulnerabilities that lead to remote code execution (RCE) flaw are present in the Magento core code, and affect the default installation of both Magento Community and Magento Enterprise Editions.

Password, Passkey, Access, Login and Credentials why ?

Author: Bernard Sfez - Published

While there are plans to move the identification method to the next level using a Microchip implemented under our skin passwords are now a part of our (must of us) life. I wrote life and not digital life because there is no more such thing.

Realize that your family, personal, business and financial life is protected by a few strings of characters. So (big) yes good password is important no matter how poisoning it is to manage them. Manage them because it is important to change them from time to time, important to have a password for every thing, or at least a password for a group of lock, important to take the time and not try to avoid complication by bypassing simple security practice.

As always I'll try to Keep It Simple Stupid using a handy guide published by the F-Secure team that will help you to improve your every day security to protect privacy and business assets.