News » 16.10.2009 - phpDenora SECURITY release

It has come to our attention from bubby (from the 6667.eu network) that phpDenora has an SQL injection vulnerability. All 1.2 versions up to 1.2.3 and 1.4 versions up to 1.4.2 are believed to be vulnerable.
Please upgrade ASAP to 1.4.3 (for php 5.2 and 5.3) or 1.2.4 (if you're still stuck with old php versions) .
After upgrading, please take the following measures:

  • Change all your denora admin passwords
  • Make sure you change your ircop passwords as well, if they happen to be the same
Basically the vulnerability allows anyone to execute arbitrary sql queries, e.g. reading and altering all tables in the db, including the admin table. Although the admin passwords are MD5-encrypted, if they are not that complicated they can still easily be cracked. Also, as Denora only allows login for users that are opered up, this security issue does not pose an imminent menace. However, if you allow oper from any host and the password is the same as the denora admin password, you are highly at risk.

Even if you think your admin passwords are safe, you NEED to upgrade phpDenora in order to avoid database corruption.

I can't stress it enough: upgrade phpDenora NOW.

Please accept my apology for this screwup :(

- Hal9000