CMSMS | CMS Made Simple

We’ve gathered up a security fix and a few bug fixes for a little maintenance release. I recommend you guys upgrade when you get the chance.

Enjoy!

Version 1.2.4 “Greenland” — March 29, 2008
—————–
- Fixed a potential security issue with the applet upload in File Mananger
- Fixed a bug where IE users would have content list issues if there were odd characters in a page name
- Fixed a bug where putting quotes in a “oneline” content block would cause issues while editing

Bookmark to:

Happy New Year! It’s time to patch a security flaw. Please upgrade as soon as possible to fix this injection problem.

Thanks!

Version 1.2.3 "Black Rock" -- January 2, 2008
-----------------
- Fixed a SQL injection

Bookmark to:

This is just a maintenance release to fix a couple of problems that we’re annoying people at random. If you’re not having any problems, you might not even need to upgrade. Though, it never hurts, especially if you use the diff version.

Enjoy!

Version 1.2.2 "Holetown" -- November 30, 2007
-----------------
- Fix a bug in the cms_date_time plugin that was causing random
  issues with User Defined Tags
- Fix a minor issue with the handling of the site down message

Bookmark to:

It’s that time again. This is a maintenance release with no security fixes, so use your judgement for upgrading (just backup, please!).

Thanks go out to RonnyK, hExDj, reneh, and fransman for testing this one!

Version 1.2.1 "Bridgetown"
-----------------

- New versions of News, Search, Tiny, and FileManager modules
  - see the documentation for each module to learn what has changed
  - some of these modules may have been released seperately at an earlier date
- Fixes the issue with pages being set inactive on edit if not edited by somebody
  with the 'Modify Site Structure' permission
- Adds the cms_move_uploaded_file function that all modules should use from now
  on to assist in handling file uploads.
- Adds the ability to set a 'home page' in the user prefences to determine
  a page to redirect to upon login.
- Adds a 'Home' menu item under 'Main'
- Adds a site preference for date format
- Adds the cms_date_format modifier that reads the site preference
  as well as the user preference for date format (when in the admin section)

Bookmark to:

The ChangeLog looks a little something like this:

Version 1.1.4.1 "Taga" -- October 07 2007
-----------------
- Fix one issue in adodb_lite that cropped up after release
 
Version 1.1.4 "Taga" -- October 07 2007
-----------------
- Fixes an XSS issue in the anchor tag
- Fixes an XSS issue in listtags
- Adds a permission check to adduser.php
- More fixes for potential security issues with adodb_lite
- Added a permission check to view the admin log

Sorry for everyone that got 1.1.4. Sometimes we jump the gun a little bit when there is pressure to get a security release out into everyone’s hands. It’s best that it was on a Sunday (and a holiday in some areas of the world), so hopefully not too many people were affected. If you were, I apologize.

Thanks!
Ted

Bookmark to:

So, 1.1.3 had a small problem with stylesheets which is now fixed in 1.1.3.1.

We recommend that all users upgrade their sites as soon as possible. The files (including diffs) can be found on the download page here or on the forge.

Bookmark to:

It’s been a while since 1.1 came out, and we have taken the time to fix as many of the issues that came up as we could. This release should solve many of the problems people encountered with the 1.1 release, namely:
- The News module permission
- News module pagination issues
- Various issues with TinyMCE
- Some over zealous input parameter cleaning
- Fixes to the umask test and global umask settings
- Fixes for postgres installs
- Rationalization to the order of the submit/apply/cancel buttons
- Lots of other little stuff.

The files are available from the download page, along with diff releases to allow you to upgrade your 1.1 site easily.

Bookmark to:

Reposted from: http://forum.cmsmadesimple.org/index.php/topic,13494.0.html by calguy

We apologize for the (very severely) slipped release of 1.1, but summer, work, and our private lives have severely impacted our ability to work on CMS Made Simple and to get this release out.

This is hopefully the last release before the 2.0 series of CMS Made Simple comes out.

Many thanks go out to many people (Ted, ThomasM, SilMalarrion, Reneh, tsw, _SjG_, and others) for their help in making this a reliable release (hopefully) and in doing all of the work to get it done.

This release attacks some major points
- Efficiency
- TinyMCE is now the Default Editor for new installs
- Security
- Numerous changes to attempt to reduce the chance of xss attacks and SQL injections
- Upgrades
- New versions of Smarty and adodb_lite
- ** scriptaculous was not upgraded **
- Enhancements
- Apply/Submit/Cancel buttons are now the standard for internal pages
- A seperate syntax hilighter module can now be used for templates, stylesheets, and UDT’s.
- Ajaxy code for the apply button when editing css, templates, etc. so that the scrollbar doesn’t move (this is a big plus).
- News now supports multiple database templates and pagination

There have been many many additional under-the-scene improvements, most of them minor, but some significant. Wwe recommend that you upgrade your CMS installations to 1.1 at your earliest convenience.

I think you will find this release to be ‘a breath of fresh air’. Not like CMS Made Simple isn’t a breath of fresh air already, but, according to our standards….

Bookmark to:

Just wanted to make a quick comment about the number of releases in the last couple of weeks. We’ve basically had 2 major security releases in a matter of a week, and I’m sure that raises a red flag with some of the more established users.

I just want to emphasize something… this is a good thing. Sure it takes you several minutes to update your sites to the latest version and there isn’t an automated way of doing that yet. But as we gain users and gain popularity (very, very quickly I might add), more and more people are banging on the system and deconstructing it… finding these great obscure bugs that some hacker might’ve found first. And I make sure that we as a group jump on them as soon as I can. Instead of just sitting on them and waiting for a bunch to come in and bundle them up like Microsoft does, the group does all they can to get a new release out and get the word out quickly. This has become a philosphy for us and luckily all of the devs support it.

Annoying? Sure. Responsible? Definitely.

We’re trying out best to make a great, safe product with the little team that could. And sometimes this is the best we can do.

Thanks for you patience! Someday this gig will be fulltime for us and we can put a lot more time into making this the great app it should be.

Bookmark to:

Sorry to have to report this, but a new security issue was brought to our attention today. Ted had it fixed in just a few minutes, and released version 1.0.8.

This vulnerability could result in unauthorized access to your CMS, so we strongly recommend that you update any CMS Made Simple installations you have on the open internet.

Thanks to [dren] and Rift for bringing the problem to our attention.

Bookmark to: