BP Blog

This one is only spam related - not hacking.  Someone was able to submit the comment form even though I had commenting turned off.  Luckily my default value for showing submitted comments was still set to 0 so that the comment wouldn't have appeared but it was still clogging my database.

Details here.

As usual, these changes are included in the latest download.

I've made some more changes.  I have secured some of the fckeditor asp pages just to be sure - although I don't think these had any to do with the hack.  You can simply download this zip of the editor files and overwrite and upload them.  This shouldn't have anything to do with your layout - they're - just the editor files. 

Also, just in case I have included a length check for the search.asp page detailed here.

These are all in the latest download.

Details here.

These are 4 simple text edits you can do in notepad.

I would also recommend that everyone using the software periodically download your database to secure your data.  All of the popular blog software has been hacked or spam exploited so I guess it's a testament to the popularity of the software.

Here's the exploit details but I don't really understand how an "advisory site" with only one exploit listed, could've heard about this only minutes after the hacks occurred.  Hmmm...it looks like they're the ones who did the hacking but I'll reserve judgment until this simple coincidence is explained to me.  Where did they get the info for this hack?  Was it sent to them or did they write it?

Hopefully all of the people using bp blog can get a backup of their database from their server admin of their host from yesterday.  It's always good to have some sort of backup, even if that's just downloading your database every couple of days.