CRM-11330 Remove Open Flash Chart from packages, to prevent hacking via remote PHP code execution

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 4.1.6, 4.2.6
          • Fix Version/s: 4.2.7, 4.3.0
          • Component/s: None
          • Labels:

            Description

            My Drupal site was recently hacked, using the 'ofc_upload_image.php' file's uncorrected vulnerability to remote PHP code execution.

            I suggest that Open Flash Chart be removed from CiviCRM's default packages until it is fixed.

            For more details, see: http://www.cvedetails.com/cve/CVE-2009-4140/ or http://www.securityfocus.com/bid/37314/info

              Attachments

                Activity

                [CRM-11330] Remove Open Flash Chart from packages, to prevent hacking via remote PHP code execution
                Donald A. Lobo added a comment -

                we removed that file from the distribution in a 4.2.x release. I just removed it from pacakages.org

                in 4.3, we;vve upgraded to the new version which is hosted on google code

                http://issues.civicrm.org/jira/browse/CRM-11202

                  People

                  • Assignee:
                    Donald A. Lobo
                    Reporter:
                    Adelle Frank

                    Dates

                    • Created:
                      Updated:
                      Resolved: