CMSMS | CMS Made Simple

Sorry to have to report this, but a new security issue was brought to our attention today. Ted had it fixed in just a few minutes, and released version 1.0.8.

This vulnerability could result in unauthorized access to your CMS, so we strongly recommend that you update any CMS Made Simple installations you have on the open internet.

Thanks to [dren] and Rift for bringing the problem to our attention.

Bookmark to:

UPDATE: rc2 was released because of stupidity on my part. Menu Manager and Search would not install properly with rc1, and was fixed. Thanks!!!

Hey all,

New release candidate is up. The plan is to have this up roughly a week. If no major bugs are found, then we’ll release it as a full version. If any minor bugs come in, we’ll fix and continue with the schedule. We’re not planning another rc unless multiple major bugs show up, which we’re hoping doesn’t happen.

Please test away and report any bugs in the tracker or irc channel.

The changelog follows below…

Thanks!
Ted

- Numerous changes to attempt to minimize the potential for XSS attacks
- Cleanup SQL statements to prevent against SQL injection attacks
- Add the page alias to the link content type
- Add Apply/Submit/Cancel buttons to the top of the edittemplate form
- Upgrade to Smarty 2.6.18
- Upgrade to adodb_lite 1.42
- Add an apply button to UDT edit page
- Check usernames for invalid characters when creating/editing users
- Add sitename to admin title and header text
- Rationalization and fixes to the {menu} and {search} tags
- Adds the ability to have a separate syntax hilighter module for templates,stylesheets, and UDT’s
- Adds a date_format_string preference in the user preferences
- Modify the admin log to use the date format string user preference
- Show the last modified date in templates, stylesheets and content,
and use the date format string preference.
- Hide the encoding dropdown from the template page, if it is not already set
- Changes to the module api to prevent XSS vulnerabilities
- Call cms_htmlentities on each parameter in the form api that can be
output to html verbatim
- Add functionality for cleaning input parameters before they are
given to the module api. Also allows for optionally dropping parameters
that are unknown to the module.
- Add methods SetParameterType and RestrictUnknownParams to the module
api so that modules can inform the core as to which parameters to expect
on input,and how to clean them.
- Adds a RegisterModulePlugin method to the module api so that we can
use {modulename param=value…} instead of
{cms_module module=’modulename’ param=value …}
- Use root url for default content in links, fixes double url issues.
- Adds ajaxy code to the apply button when editing css, templates or
stylesheets so that the text area scroll bar doesn’t move.
- Add sender ip to the contact_form message
- Add a site preference to disable the safe_mode warning in the admin
- Add a site preference to restrict warnings about unknown parameters
- Now check for ‘Modify Any Page’ permission or ‘Modify Page Structure’
to allow people to activate or deactivate content.
- Fixes to the installer
- Upgrade Scriptaculous to 1.7.0
- Add some help on how to use CGB’s
- News enhancements
- Frontend Pagination for summary articles
- Admin article pagination, sorting, and filtering
- Use the date_format_string preference in the admin
- Display more information in the article list

Bookmark to:

It’s been brought to our attention that there is a potential SQL injection bug in stylesheet.php. We were due to release 1.0.6 anyway, but this just made us rush out a release as soon as we were notified.

My suggestion is to update AS SOON AS POSSIBLE. If for some reason you can’t then at the very least, replace your stylesheet.php with this file: http://svn.cmsmadesimple.org/svn/cmsmadesimple/tags/version-1.0.6/stylesheet.php.

This flaw has been in the code for awhile, so if anyone has a legacy version and wants to know if they need a patch and how to do it, let us know in IRC or email.

Here is the ChangeLog:

- Fixes a potential SQL injection hole in stylesheet.php
- A new installer that uses smarty templates and classes.
  it doesn't look much better atm, but does have alot more power and
  is alot cleaner for the future.
- Show the footer on tags about and help pages
- Fixes to the expression that caused session_start to not always be
  called.
- Fixes for errors in get_template_vars with newer php versions
- (important) Fixes a problem where the wrong module could be unloaded
  from memory if module files had been deleted manually, without explicitly
  uninstalling the module first.
- Fixes to the safe mode tests
- Fixes for open_basedir issues in ImageManager
- Repeated quick reloads should no longer violate the 'cachable' page property.
- Add a download link for the admin log
- Fixes for the umask test in global settings

Thanks! Sorry for the alarm, but we want to get this resolved as soon as possible.

Bookmark to:

We’ve released 1.0.5. It’s basically a security release for FCKeditorX with a few bugfixes. I would suggest upgrading when you get a chance.

Here is the changelog…

Version 1.0.5 "Molokai" -- Mar 26 2007
-----------------
- Fixes to Global Settings
- Fixes to Delete Stylesheet Association
- Spaces are no longer allowed in UDT names
- $gCms is now given to smarty by default
- Added ability to test the file creation mask in Global settings
- Added page alias on mouseover when in listcontent.
- Added safe_mode check into the admin section
- Modified listmodules to display a message when safe mode is enabled
  and installing files via XML could be a problem.
- Appropriate modifications to ModuleManager and ThemeManager for
  safe mode.

Bookmark to:

Just a quick bugfix release. The reason is was pushed out quickly was because of issues installing on Windows machines, and had to be handled immediately. It also fixes two different problems with breadcrumbs that people were reporting. We’ve thrown in a couple of extra bugfixes as well.

The ChangeLog looks like:

Version 1.0.4 "Lanai" -- Jan 23 2007
-----------------

- Fixed issue with number of queries not showing up properly at the
  end of index.php
- Fixed issues with breadcrumbs, including nodes not showing up and
  duplicate nodes showing
- Fixed the warning that showed up in the 25 to 26 upgrade script
  if you didn't have any events
- Fixed bug with installer where it doesn't write windows paths
  correctly
- Fixed issue with Search where it would mess with the letter case
  when showing the highlighted text

Thanks!

Bookmark to:

Yes, it’s incredibly overdue, but it’s finally released. This is basically just a bugfix and security release. It’s released in both the full download version, and also a diff installation that you can overwrite an existing 1.0.2 installation with only changed files.

The security issues were not major by any means, but it’s still good to patch XSS issues. The ones we had were non-permanent and didn’t cause any damage to your site, but they still needed addressing.

The changelog goes as follows…

Version 1.0.3 "Kauai" -- Jan 18 2007
-----------------

- Fixed several non-permenant XSS vulnerabilities
- Fixed issue with breadcrumbs plugin displaying root node multiple
  times
- Fixed issue with multiple events being entered
- Removed global references to $db from the admin and include.php
- Added a "Modify Events" permission
- Added event for "Change Group Permissions"
- Added ability to select a file for the Link content type
- Added ability to specify default boilerplate page content
- Fixed print plugin output so that it's xhtml compliant
- Added text direction to languages for suppot of languages like
  Hebrew and Arabic
- Fixed issue where 2 installs on the same domain shared login
  sessions
- Fixed issue with contact form with pretty_urls turned on
- Fixed issue with LoadStylesheets() not loading the modified date
- Changed search schema layout.  Now allows for expiration dates on
  entries
- Changed the icon for global content so that it doesn't look like
  the Gentoo logo
- Fixed issue with expanding content in the content list when user
  didn't have the Add Page perission
- Added catpcha module support to the contact_form plugin (you still
  need to manually install the Captcha module for this to work)
- Added messages when admin log is cleared
- Much much more

Enjoy!

Bookmark to: