We've just received a report of iWiccle 1.01 suffering from a minor/medium security vulnerability, which is only exploitable in certain environments. This patch should be applied immediately.

Certain environments: Part 1: If magic_quotes are off (generally on by default in PHP), where neither open_basedir nor safe_mode restrict fetching files from above the site root area, and where your other directory structures contain sensitive information in readable format in a place that can be guessed, but not in a PHP file. Part 2: If an untrusted person has your admin logins, he can modify certain database queries with invalid form input.

Download the Patch

This has been fixed in the main download since last night, and there is now a patch (only two files to update) for fixing this:

Download: iwiccle_101_patch.zip - 12.7 KB

Please download and unzip, then copy files to your server to replace index.php,  core/class_global.php, and two files for the /admin folder.

The second hack is only available if one is logged in as an administrator, and unless you plan on hacking your own iWiccle or handing out your admin passwords to strangers, that's nothing to worry about. This batch fixes both the directory traversal and the admin query modification.

General Notes

To prevent any vulnerablities opening in the future, I've been going over the code with a tight comb, attempting to cover every base from RTFM vulnerabilities to more exotic ways of hacking — and it seems as if this very issue was the last of "common hacks" from an angle I didn't expect.

If you ever spot a security issue with iWiccle, please forward the information directly to our prioritized security e-mail:

iWiccle 1.10 for Monday

We have decided to ditch the scheduled iWiccle 1.02 update in favor of releasing a polished iWiccle 1.10 version on Monday. The 1.02 was intended as a general bug fix + minor feature update release. However, I and Keith believe you'd rather see a version that reflects everything we'd like iWiccle to be — for now. 

Any left-over time in between completing 1.10 and refocusing on Wiccle 1.0 will be left for documentation, tutorials, videos and so on — all the stuff you need to know to max the potential of your iWiccle. Stay tuned and follow the forums!