One of the open issues we're working on is the potential (medium threat) XSS opportunity in the admin interface of CMS.

We had an online development team meeting yesterday where we discussed this vulnerability, and the proper solution, and how/who will implement it.

Unfortunately, the implementation involves modifications to each and every form and link in the admin section.  This will take a bit of time to finish... though there are four or five of us working on it so it shouldn't be too long.  I'll crack the whip and get them going

Beta testing will be critical on this release, as we have had to modify just about everything in the admin to fix this problem.  The more beta testers we can arrange the better.

As well, though most modules should work just fine without modification, some badly behaved or badly implemented modules may not be compatible with CMS version 1.5... I don't know which modules (if any) these are.  and no, we will not support them or fix them just because they may now be broken.  It will be up to the module developer(s) to fix these problems and release a new version.

Just thought I'd keep you informed.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....

Fixing of the XSS : VERY good news. Thx. It is worth the delay.

About the break of "badly behaved or badly implemented" modules : I like it, it is natural selection in evolution Modules are either (maintained and 1.5 compatible) OR (unmaintained and shouldn't be deployed).

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

I agree with you, Pierre. It's a great way to weed out the "old stuff".

Nullig

_________________
Come play in the Sandbox at my CMS Made Simple demo site: http://www.cmsmsdemo.com.

Thanks, that one is very welcome. I really expected to wait for 2.0 to see this implemented.

Now, if only the Edit Content preview could display all content blocks...  ;)

Yep Pierre, great way to filter out 'unwanted' material. This increases the level of confidence of the modules that will remain.

I didn't know what XSS stood for, while researching I found the following:
http://www.cgisecurity.com/articles/xss-faq.shtml.
From this overview I learned that modules that use cookies are furnerable. For those reading this and have it installed, the module Cart Made Simple is one of them.
Just a warning from my side to be careful with using it (more serious: I am not to be blamed if something happens -> see the helptext of the module).

Once there is a 'common'/'standard' thought on how this is to be handled the cookie using modules are to be upgraded.

Duketown

_________________
Want to know more about CMSMS look at my site: http://www.duketown.eu

@Duketown : about the XSS vulnerability the DevTeam is working on, see http://forum.cmsmadesimple.org/index.ph ... 827.0.html. May be another one, but I hope this information can help you maintain your modules.

Pierre

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

Stay tuned!!!

CMS Made Simple 1.5 will probably come out tomorrow (November 3)... barring alpha testers finding something new.

_________________
Follow me on twitter
--
if you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
----------------
Don't make me angry..... you won't like me when I'm angry....

And by "come out", he means a beta.

Just clarifying. 

_________________
http://about.me/tedkulp