Warning
Unfortunately we have discovered that our software has been abused by a
hacker. We urge all our users to apply the patch provided below to all your
TM3s immediately.
What kind of damage can the hacker do to my TM3 and server?
The amount of damage depends on your system setup.
It is possible for the hacker to execute system commands as the user which runs the web server
(e.g. 'apache'). If your server doesnt have additional security measures like a
firewall (to prevent rootkit-ing), chrooted environment and if software with
security issues is installed as root, additional damage can be done.
Who needs protection?
Your TM3 is vulnerable to this attack if you have a version prior to
TM3-061011. You can check which version you have in Setup menu (on the
bottom).
How can I protect myself?
You need at least some basic SSH knowledge to apply the patch. In case you
you don't understand the installation steps below, contact your server
administrator and ask him to apply the patch for you.
- Connect to your server with SSH protocol (using e.g.
PuTTY)
- Select a patch appropriate for you operating system and download it
using a command like wget or fetch:
bash$ wget http://www.tgpsoftware.com/patches/patch3-linux <press enter>
If successful, 'patch3-linux' was saved into the current directory
- Prepare the patch for running:
bash$ chmod 755 patch3-linux <press enter>
bash$
- Run the patch with the path to your /cgi-bin/tm3/tttoplist as the paramater:
bash$ ./patch3-linux /home/httpd/mysite.com/cgi-bin/tm3/tttoplist <press enter>
If the patch was applied successfully, the output should look like this:
source:/home/httpd/mysite.com/cgi-bin/tm3/tttoplist
destination:/home/httpd/mysite.com/tt/bin/tttoplist
Your TM3 has been successfully patched!
bash$
- You have successfully patched your TM3. Repeat the last step for all
the sites on the server. Please keep in mind that if you have other TM3s
installed with different unix usernames, you need to log in with the respective
username (using PuTTY).
What do I do if something goes wrong during the patching procedure?
If you patch your TM3 and discover a problem later on (for example internal server
error on http://yoursite.com/cgi-bin/tm3/tttoplist), you can easily remove
the patch by typing:
bash$ ./patch3-linux --uninstall /home/httpd/mysite.com/cgi-bin/tm3/tttoplist <press enter>
If the patch was removed successfully, the output should look like this:
TM3 patch has been successfully removed.
Such such a case occur, please notify us immediately and we will try to
discover the problem and help you to apply the patch successfully.
Credits
We would like to thank Conrad and isprime.com for assistance and logs
regarding this issue.