Mibew Messenger Community

General => General Discussion => Topic started by: nls73m on June 26, 2012, 03:45:00 PM

Title: Security Vulnerabilities
Post by: nls73m on June 26, 2012, 03:45:00 PM

This is a great project. Unfortunately, it suffers from many security vulnerabilities that have not been fixed nor patched. How does anyone expect to use this software in production? I have not been able to find any patches to any of the security issues.  :'(

Title: Re: Security Vulnerabilities
Post by: sangahm on June 26, 2012, 04:31:58 PM

Can you list out the security vulnerabilities that you think need to be fixed?

Title: Re: Security Vulnerabilities
Post by: nls73m on June 26, 2012, 09:35:35 PM

http://mibew.org/forums/index.php?topic=3332.0
https://github.com/inspirer/mibew/issues/8
http://packetstormsecurity.org/files/109242/Mibew-Messenger-1.6.4-Cross-Site-Scripting.html
http://www.cvedetails.com/vulnerability-list/vendor_id-11824/year-2012/opxss-1/Mibew.html
http://www.net-security.org/vuln.php?id=16124
http://www.securityfocus.com/bid/51723/exploit
http://www.codseq.it/advisories/mibew_messenger_multiple_xss
http://secunia.com/advisories/47787
http://forums.cnet.com/7726-6132_102-5268163.html
http://xforce.iss.net/xforce/xfdb/72822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0829

Title: Re: Security Vulnerabilities
Post by: TekNoWene on December 07, 2012, 11:30:38 PM

Looks like it is time for a newer version just to keep up with the security holes!

Title: Re: Security Vulnerabilities
Post by: docboxer on March 23, 2013, 06:47:45 PM

I used this script on a hosting site and didn't know about the security issues. My site was turned into a phishing site twice.  The last time was 2 days ago. I had to get my hosting provider to completely remove the site and domain name. Then set up a new account with a new domain name.

It is irresponsible of  you to keep this script going and not fix the security issues.

Title: Re: Security Vulnerabilities
Post by: shailo on June 23, 2013, 05:51:23 PM

All these  security vulnerabilities have been fixed in our websites, also fixed all browser compatibility issues.

Title: Re: Security Vulnerabilities
Post by: lionsgate on August 02, 2013, 12:42:56 AM

Cool, gonna update ours ASAP. This is why it is good to hear that the project back on the front burner.

Title: Re: Security Vulnerabilities
Post by: ancym on August 13, 2013, 07:09:51 PM

Quote from: shailo on June 23, 2013, 05:51:23 PM

All these  security vulnerabilities have been fixed in our websites, also fixed all browser compatibility issues.

Would you mind explaining a bit further - is the new version, 1.6.5, secure? 

Thanks!

Title: Re: Security Vulnerabilities
Post by: ChrisS on August 13, 2013, 08:39:58 PM

Mibew version 1.6.5 was released fixing many known issues regarding version 1.6.4 including those security vulnerabilities stated above in this thread.

In the near future Version 2 will implement extra security features that have not yet been implemented in previous versions.

So, Yes, Mibew 1.6.5 is secure enough to be used live & version 2 will be even better.

Regards

Title: Re: Security Vulnerabilities
Post by: ancym on August 13, 2013, 10:18:28 PM

Great news, thanks.  Looking forward to learning my way around mibew, and esp.  to new version...