Vulnerabilities in other packages will be documented here, so that customers who may be affected will know to update their software. Common examples of software that might be affected include message board systems, custom installations of PHP, and popular CGI scripts.

Significant updates to this page will always be announced on System Notices. Therefore, to receive updates for this page, you may sign up for the System Notices mailing list.

There is no warranty implied or expressed regarding the presence or absence of any information on this page, nor its accuracy, usefulness, timeliness, etc. This is a public service we provide to our customers. It is not possible to monitor security reports on all possible software packages, nor from all possible sources. Responsibility for the security of a customer's account still rests with the customer.

Please note that in general we recommend checking the Web sites for the owner or author of any software packages you may use; often security announcements and updates will appear there promptly. For any package, you should also ensure that you are using a recent, stable version downloaded from a trusted site, such as an official mirror.

We recognize that there are thousands of packages out there and it is impossible to track them all for problems. We will cover the most popular packages here, as we become aware of vulnerabilities. Please keep in touch with the developer of any package you use to be aware of new fixes as they become available.

March 3, 2007: Wordpress

Any user who may have upgraded to Wordpress 2.1.1 in the past 7 days is advised to immediately update to 2.1.2, as the 2.1.1 release included malicious code added by a hacker. More information is available at: http://wordpress.org/development/2007/03/upgrade-212/

July 6, 2006: Geeklog

All versions of Geeklog prior to 1.4.0sr4 are vulnerable to multiple remote file-include exploits because they fail to properly sanitize user-supplied input. A successful exploit of these issues allows the attacker to execute arbitrary server-side script code on the server with the privileges of the webserver process or as the main account user if PHP-CGIWrap is being used. All customers using Geeklog are urged to update to the latest version of 1.4.0sr4. More information is available at: http://www.geeklog.net/article.php/exploit-for-fckeditor-filemanager.

June 21, 2006: Geeklog

All versions of Geeklog prior to 1.4.0sr3 and 1.3.11sr6 are vulnerable to multiple cross-site scripting and SQL-injection vulnerabilities. A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database. All customers using Geeklog are urged to update to the latest versions. More information is available at: http://www.geeklog.net/article.php/geeklog-1.4.0sr3.

March 8, 2006: Geeklog

All versions of Geeklog earlier than 1.4.0sr2 and 1.3.11sr5 are subject to serious vulnerabilities that can include the ability of allowing anyone to log in as any user. All customers using Geeklog are urged to update to the latest versions. More information is available at http://www.geeklog.net/article.php/geeklog-1.4.0sr2.

February 20, 2006: Geeklog

All versions of Geeklog earlier than 1.4.0sr1 and 1.3.11sr4 are subject to serious vulnerabilities that can include the injection and execution of arbitrary code. All customers using Geeklog are urged to update to the latest versions. More information is available at http://www.geeklog.net/article.php/geeklog-1.4.0sr1.

November 15, 2005: phpAdsNew

A new version was released yesterday which addresses several exploitable security issues. All customers using phpAdsNew are urged to update to new version 2.0.7. More details are available here.

October 31, 2005: phpBB

Versions earlier than 2.0.18 are subject to several security vulnerabilities. All customers using phpBB are urged to update to the latest version. More details are available here.

August 15, 2005: WordPress

Versions earlier than 1.5.1.4 are subject to a security vulnerability in the handling of cookies, which allows an attacker to run arbitrary commands. All customers using WordPress are urged to update to the latest version.

June 28, 2005: phpBB

Versions earlier than 2.0.16 are subject to a "critical" security vulnerability. All customers using phpBB are urged to update to the latest version. More details are available here.

May 26, 2005: ikonBoard

ikonBoard 3.1.2 or older has a serious vulnerability related to cookie handling. This is a remote exploit that has remained unpatched for over two years. The current release version, 3.1.2, does not fix the problem. Users should download a beta build of 3.1.3 from here.

May 9, 2005: phpBB

Versions earlier than 2.0.15 are subject to a "serious" security vulnerability in the bbcode.php script. All customers using phpBB are urged to update to the latest version. More details are available here.

February 25, 2005: AWStats

The main AWStats program, typically installed at /cgi-bin/awstats.pl, is vulnerable to a remote exploit, and this vulnerability is being found and abused by automated scanning processes. All customers who use this script should password-protect access to it, and should also upgrade to the latest version, which is 6.4. The upgrade is available here.

February 23, 2005: phpBB

Versions earlier than 2.0.13 are subject to several file disclosure and deletion exploits, as well as privilege escalation within the context of the message boards. We recommend that all customers using phpBB upgrade to the latest version. More details are available here and here.

February 22, 2005: vBulletin

Versions earlier than 3.0.7 are vulnerable to a remote exploit if a certain template option is enabled. The patch and upgrade are available only to registered users; please read about it here.

February 2, 2005: Squirrelmail

Versions earlier than 1.4.4 are vulnerable to several cross-site scripting attacks. Please download the new version here.

November 22, 2004: phpBB

Versions earlier than 2.0.11 are vulnerable to an exploit through the highlighting functionality. This is a serious vulnerability; a one-line patch is available here.

November 12, 2004: Squirrelmail

Versions 1.4.3a and earlier, and development versions prior to 10/23/04, are subject to a potential cross-site scripting attack. Read the security notice here and download the update from here.

August 21, 2004: Gallery 1.4.4-pl1

Prior to 1.4.4-pl1, users with permission to upload photos can create arbitrary files instead. Please fetch 1.4.4-pl1 or newer from here.

March 4, 2004: Calendarscript

Prior to 3.21, remote intruders can easily execute commands on any server account using Calendarscript. Please fetch 3.21 or newer from here.

January 29, 2004: Geeklog

There are significant vulnerabilities in Geeklog versions prior to 1.3.8-1sr4 and 1.3.7sr5. Please fetch the new code from here.

January 27, 2004: Gallery 1.3.x through 1.4.1

A remote intruder can compromise Gallery installations using a specially crafted URL; this is fixed in release 1.4.1-pl1 and the upcoming 1.4.2. Please download updated Gallery code from here.

July 15, 2003: EZMall2000

This software has been discontinued by its author, in favor of their new software, QuikStore. There are multiple vulnerabilities in some, possibly all, versions of EZMall2000, and its use is not recommended on our servers.

June 6, 2003: Geeklog 1.3.7sr2

A vulnerability in Geeklog 1.3.7sr1 can allow an attacker to gain Admin control over a Geeklog site. Please update to 1.3.7sr2 as soon as possible, or use the patch described on the linked page.

May 22, 2003: Gallery 1.3

Another remote access vulnerability in Gallery is being actively exploited. The latest version, 1.3.3, fixes this problem and can be found on the official site.

October 22, 2002: phpWebSite 0.8.3

A remote access vulnerability in phpWebSite, versions 0.8.2 and earlier, is being actively exploited to deface Web sites. Please upgrade to 0.8.3 or later to protect your Web site if you use this software.

July 31, 2002: Gallery 1.3

A remote access vulnerability in Gallery has been announced. The fixed version, 1.3.1, as well as a patch for all versions, is available from the Gallery site.

July 30, 2002: phpNuke prior to 5.6

Several users have recommended that all phpNuke users upgrade to the latest version, 5.6, which was released June 4, 2002. There are known vulnerabilities being exploited in some previous versions.

July 28, 2002: phpBB with Gender Mod

phpBB 2.x with the Gender Mod is vulnerable to an attack that allows users to give themselves administrative privileges. Details and patch .

July 24, 2002: Phorum prior to 3.3.2c

The latest stable version of Phorum, 3.3.2c, includes security fixes for vulnerabilities which are being actively exploited. Download 3.3.2c .

July 22, 2002: PHP 4.2.0 and 4.2.1

Beginning with PHP 4.2.0, a serious security vulnerability was inadvertently introduced. Anyone running PHP 4.2.0 or 4.2.1 needs to upgrade to 4.2.2 as soon as possible. Details and download.

June 21, 2002: SquirrelMail prior to 1.2.7

There have been major rewrites and bug fixes in SquirrelMail leading up to the most current version, 1.2.7. Download 1.2.7.

If you are aware of any recent security issues not covered here, please let us know and we will investigate.