CMS Made Simple 1.0.6 Released!
April 24th, 2007 by Ted KulpIt’s been brought to our attention that there is a potential SQL injection bug in stylesheet.php. We were due to release 1.0.6 anyway, but this just made us rush out a release as soon as we were notified.
My suggestion is to update AS SOON AS POSSIBLE. If for some reason you can’t then at the very least, replace your stylesheet.php with this file: http://svn.cmsmadesimple.org/svn/cmsmadesimple/tags/version-1.0.6/stylesheet.php.
This flaw has been in the code for awhile, so if anyone has a legacy version and wants to know if they need a patch and how to do it, let us know in IRC or email.
Here is the ChangeLog:
- Fixes a potential SQL injection hole in stylesheet.php - A new installer that uses smarty templates and classes. it doesn't look much better atm, but does have alot more power and is alot cleaner for the future. - Show the footer on tags about and help pages - Fixes to the expression that caused session_start to not always be called. - Fixes for errors in get_template_vars with newer php versions - (important) Fixes a problem where the wrong module could be unloaded from memory if module files had been deleted manually, without explicitly uninstalling the module first. - Fixes to the safe mode tests - Fixes for open_basedir issues in ImageManager - Repeated quick reloads should no longer violate the 'cachable' page property. - Add a download link for the admin log - Fixes for the umask test in global settings
Thanks! Sorry for the alarm, but we want to get this resolved as soon as possible.
April 25th, 2007 at 12:12 pm
Upgrade worked fine as usual!! Kind of makes for a boring upgrade really, nothing exciting happened, nothing broke everything works, and it took all of three minutes too!
April 25th, 2007 at 12:18 pm
Sorry to disappoint. We’ll try harder to mix it up for you next time.
April 26th, 2007 at 2:05 am
“…- A new installer that uses smarty templates and classes….”
There does not appear to be an install folder in the 1.0.5 - 1.0.6 diff package? Is this correct?
Russ
April 26th, 2007 at 3:26 am
I was going to miss this! Have you removed RSS-Feed on news??
April 26th, 2007 at 3:58 am
@Russ
Correct. There are no database changes, so the diff package just has the changed files. Just upload to your server over the 1.0.5 files and you’re good to go.
@saltydog
Get the new rss location. I’m kind of suprirsed that you had a really old one, as I switched to feedburner a LONG time ago and then just switched the feed that feedburner was looking at to the wordpress feed.
April 26th, 2007 at 8:46 am
Ted, thanks for the information on the ‘install folder’, but sad to see modform.inc.php still has the name attribute as it will not validate as XHTML 1.0 Strict.
This was a page with the standard Search form on using 1.0.6.
From the validator….
”
You have used the attribute named above in your document, but the document type you are using does not support that attribute for this element. This error is often caused by incorrect use of the “Strict” document type with a document that uses frames (e.g. you must use the “Transitional” document type to get the “target” attribute), or by using vendor proprietary extensions such as “marginheight” (this is usually fixed by using CSS to achieve the desired effect instead)… ”
I know that removing it may cause problems with other modules, last time I looked for example the Album, module had problems when editing, but surely there must be a solution?
Russ
June 5th, 2007 at 3:04 pm
Can I upload this on my 1.0.4 version? Won’t it damage my current version structure, etc.? And please, correct me: I should run upgrade.php from install dir? thank you.
June 5th, 2007 at 4:50 pm
@Gintaras: Yes, and yes.
June 7th, 2007 at 12:39 am
to Gintaras: I have several sites on CMS made simple with different versions,
i just uploaded stylesheet.php, but it refers to:
lib/misc.functions.php and
lib/adodb.functions.php,
so i uploaded and those files to. All works fine.
I sveikata.
June 16th, 2007 at 3:11 pm
[…] For additional information, please read the release announcement. […]