Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third party information.The email that AVAST sent out contained a weird statement that I can only assume was meant to make users feel safe in the future:
We added our own login technology with SSL encryption. With this encryption, passwords will not be saved in our forum database. This means this information cannot be compromised.SSL has nothing to do with where or how the passwords are saved. I can only assume that they mean the passwords are hashed and at best stored in a different database. However, none of this means that they cannot be compromised in an attack.
A few days ago we informed you that the AVAST forum was attacked and because of that, we took the forum offline to improve its structure and security. It is now back up and more secure.
We decided to rebuild the forum on the same software platform we used before, but we enhanced the security on our side. We added our own login technology with SSL encryption. With this encryption, passwords will not be saved in our forum database. This means this information cannot be compromised.
The forum is an extremely important part of our business. Our members not only solve problems identified by other members, but give us valuable insight that helps us improve our business and our products. We are extremely grateful for your participation, and we hope that you will rejoin the forum and continue providing your unique insight.
If your MyAvast password is the same as your old forum password, please reset your password and create a new one.
Again, we regret any inconvenience this may have caused you and thank you for your contributions.
All the best,
COO AVAST Software