• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Announcing CMSMS 2.2.6 - Come by Chance
PostPosted: Sat Feb 17, 2018 4:14 pm 
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7927
Location: Fernie British Columbia, Canada
Hello Everybody.

Today we are announcing the release of CMS Made Simple 2.2.6, "Come By Chance".

This is a minor release that addresses a few small security issues in the admin console. The primary issue addressed was ensuring that admin actions were not susceptible to CSRF attacks. Also, we removed a few 'magic' URL parameters that could be used to implement XSS attacks via parameters on URLS for admin requests.

Secondly, a few warnings and notices were corrected, and we modified the SetMessage() and SetError() methods of the module API that handle flash messages across requests. These methods were changed to use session variables instead of request parameters.

This release may break the flash messages on success or error displayed in the admin console by some third party modules still using the older way of generating these messages. The replacement is to use SetMesssage() and SetError() methods of the module class before redirecting. So far we have only detected a few modules that are affected.

At this time we would like to remind the user community of our stance about low-priority security vulnerabilities in the admin panel: It is in the nature of CMSMS that most administrators can edit HTML and javascript for the front-facing web application. This gives most administrators the ability to attack the customers and visitors to the application. We consider it a low-priority issue if an authorized administrator can attack the other administrators. Almost every other bug or feature request is more important.

Though we will endeavor to resolve known issues of this type in the course of our regular development cycles, particularly when we are replacing or adding functionality in that area, we will not normally take extra effort to respond to reports, or release interim releases resolving issues of this nature that are reported to us.

As usual, the volunteer Dev Team members are only asked to answer questions regarding the last two releases of CMSMS. At this time these are version 2.2.5 and 2.2.6. We encourage you to upgrade your websites as soon as possible.

Many thanks to the community members for helping us spot and fix these issues, and to the Dev Team who have again put in many hours testing, documenting and fixing issues.

Thank you, and have fun with CMSMS.

Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.

Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC

Who is online

Users browsing this forum: No registered users

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting