This afternoon HAMweather, LLC was notified of a security issue that could allow remote code execution via the HAMweather scripts. The security issue was found by James of GulfTech Security Research:
http://www.gulftech.org/

Within a couple hours of the security report, we released a patch for all versions to correct the issue. It is highly recommended that you update your HAMweather installation immediately. You may download the Security patch for your HAMweather 3 version via the links below:

HW3php

HW3perl

HW3asp

We have also released new full distributions which include the security update. They are available via the downloads page.

HAMweather, LLC takes security seriously and is committed to ensure that the HAMweather software is an excellent product.

Wow thanks for the update. Btw I'm getting an error messege that came up after the security update about the cookie file.

http://vincemediacom.weatherlive.net/we ... ption|pass

So far, my Perl patch hasn't presented any problems or error messages.

I wonder if there is any way to tell whether our sites have been exploited (prior to this patch) by this security issue? I mean, would we have even of known if our sites were being compromised?

I also wonder what would have given rise to this guy from gulftech coming forward with this. He doesn't appear to have HW running anywhere, so how would he have known about this, unless...?

For php users who get this error, redownload & install the patch and this error should go away as we just updated the patch.

Gulftech is a security firm that looks into security issues of web applications. They contacted HAMweather in a manner that was very professional with the handling of the security issue.

To our knowledge, prior to the release of the notification of this security issue, there have been no reported users exploited by this issue.

Just noticed that my personalization isn't working anymore. HW doesn't seem to recall the place name or other settings (with the patch code added). I will have to revert to my previous code at akweb.com and at uisf.com (they're busy sites), but you can confirm this at wsurfer.com until this is resolved.

I don't really get that many users at wsurfer.com, so I'll leave the patch up there temporarily.

it is highly recommended you do not revert back to the previous code. doing so opens you up to potential security issues, especially now that the issue has been made public. I recommend you leave the new code while we sort out the remaining issues. an update will be made later tonight.

Then I'll ask again... How would we know if we were being exploited? I asked before, but you never responded to that question.

I am not going to effectively disable all my user's personalization, when I can exercise some sort of diligence to watch for signs of exploitation -- whatever those are.

I checked with my netadmin, and they tell me that they have software installed on my v-dedicated account which should prevent such remote code execution.

More than likely you would definitely know if your site was exploited...which would result in abnormal functionality on your site. If nothing has been changed or is running improperly, then odds are your site was not exploited. You can also check your server logs to review recent activity, but most server logs are only archived for a couple days to a week.

Still. You're not telling me precisely what it is I would be looking for, in my logs, or otherwise, which would indicate remote code execution or exploitation.

wham,

You can now redownload the HW3perl security patch, it has been updated to correct the cookie issue that you found.

i am also sending you a pm.

Got your PM. Thanks for the improved explaination. Downloaded the patch again, but still personalization is not working at my dev site, wsurfer.com.

I used the link to the patch in your first post above, but after installing, it didn't work any better than the first patch.

i think you may have downloading while i was uploaded. Can you verify the Cookie.pm has a 9xx EDT time if not then download it once more, as we are using this on the HW site and cookies are now working 100% in HW3perl

The modification time on the Cookies.pm is 9:11 pm and the Common.pm is 12:11 pm

Downloaded again a few minutes ago and installed it again at wsurfer.com, but it's still not working

I just installed the ASP patch on my Dev Site & all I'm getting is a 500 Error on my weather pages & HWImage isn't working either...

Dev Server: http://stn2.andypoms.dyndns.tv/