CMS Made Simple Forums

(Forgot the forum post -- sorry)

This is a security release, with the bonus of having some feature and bug fixes as well. It’s recommended that you upgrade as soon as possible, since this flaw has been published and could possible be being exploited as we speak.

Thanks to Beenu Arora and 0×6a616d6573 for testing and pointing out the flaws.

Below is the full list of changes. Enjoy!

Version 1.6.7 – Teremba Bay
—————————–
- #3999 Upload a file with apostrophe make problem
- #4137 small text typo in admin/login.php
- #4192 Extra Page Attribute’s are listed in the wrong order
- #4208 Don’t show inactive template in the page 404
- #4431 UDT names not validated when being edited
- Improvements to XML module generation
- Fixes to prevent possible remote file inclusion vulnerabilities
- Minor improvements to the News module
- New version of TinyMCE
- Improvements to File Manager and Image Manager
- Improvements to Module Manager; upgrade now possible from the “Available Upgrades”-tab
- Adsense-plugin modified, to accept the ad_slot parameter

I'm aware of the 4 extra files in cmsmadesimple-base-diff-1.6.6-1.6.7.tar.gz.  I'll cut another release of it today.  There is a bug in the diff script and those files showed up somehow from TinyMCE.  I'll make sure they're not there when I redo it.

Great news, and cheers to you and ALL the developers who devote so much time & energy!

Quick question: I have some time to do upgrades this morning....do the four extra files break the upgrade to 1.6.7, or are they just harmless orphans?

Thanks again!

I've upgraded a few sites and noticed that nothing loads under the 'Profiles' tab from TinyMCE.
Has this been intentionally removed?
(I tried a reset all settings)


BTW: Love the new Module Manager upgrade feature. Very helpful.
As always, great job guys!

@ziggywigged - I noticed the same thing.

Posted separately (http://forum.cmsmadesimple.org/index.ph ... #msg197682) but the solution there was to upload the /Modules/TinyMCE/ folder from the full 1.6.7 package. 

That worked for me!

Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke

rotezecke wrote: Hi there
this is what i did (and i think this is what i used to do in the past)
cd siteroot
tar -xzf cmsmadesimple-full-diff-1.6.6-1.6.7.tar.gz

this is what i get. (i downloaded 1.6.6 to 1.6.7 - full on 25.feb.2010 ~5am UTC)
tar: ./modules/TinyMCE/tinymce/jscripts/tiny_mce/plugins/safari: Cannot open: File exists
tar: Error exit delayed from previous errors

any idea/new update?
cheers
rotezecke

Hello rotezecke, welcome here!

I looked into this.
Upgrading and skipping the error message you mentioned isn't a problem, everything still works fine afterwards.
It looks like at this point the folder 'safari' must be deleted (overwritten) and it won't for some reason...
This folder isn't there in the 1.6.7 package
I deleted the safari folder in question at my testsite and everything is still working like it should be.  ::)

Perhaps Ted can confirm that this folder must be (can be) deleted, or that just leaving it there isn't a problem either...

Regards, Rolf  :)

It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.

Also, I'd like to echo the comment made on the blog about not appreciating new features being bundled with a security patch -- it adds additional work and testing.

That said, thanks for your hard work!

Deak wrote: It would be really helpful if new releases, especially when security was is an issue, were always announced via email. I don't visit this site every day, or even every week.

Hello deak,

Somebody correct me if I'm wrong but I think a mail was send around with:
http://www.cmsmadesimple.org/support/mailing-lists/

And beside that you can use the 'Notify' option in the Announcements board to keep you up-to-date of new topics here...

Regards, Rolf 

@Deak - I disagree, I like new features. The upgrade feature added to the Module Manager will help save time in the long run.

@Rolf - I'm subscribed but did not receive an email.

BTW, one could also subscribe to the blog's RSS feed or even Twitter (that's how I was notify'd).

Ziggywigged wrote: @Rolf - I'm subscribed but did not receive an email.

Hmm, strange... 
I checked my mailbox and I really got an announcement there...
See attached image

®

@Rolf - I have received previous update emails, but not the latest one. Strange! I've added my email address to the list again and didn't receive any "you're already subscribed" message (not even sure one would generated). Having signed up again I also did not receive a double-opt in confirmation (tut-tut, CAN-SPAM and all that).

If the CMS Made Simple team would like a free account with a professional email marketing system, drop me a message. It's what I do for a living. No offence to Newsletter Made Simple, but it'll do your server and your email list more harm than good.

Hi,

I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.

Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?

BTW, I did recieve the email-announcement, so at least that part works for me.

@Ted

Any idea when the corrected diff file will be released?

Thanks,
Nullig

eirik wrote: I would also appreciate a stable release version, that would be easier to provide security support for. While cmsms is a nice little system, parts of the code is rather messy, and I have frequently seen things break on upgrades and minor reconfiguration -- quite possibly due improperly written extensions.

Whatever the cause, reducing the number of changes, tends to help reduce risk.

That's what I said, too. However, I said it in the comments on http://blog.cmsmadesimple.org/2010/02/23/announcing-cms-made-simple-1-6-7-teremba-bay/comment-page-1/#comment-4137. Why there are two separate comment threads in the blog and the forums beats me, but that is another story...

eirik wrote: Is there any documentation of the bug anywhere, so that I can evaluate the current risk -- and possibly work out a smaller patch?

The bug is documented at http://0x6a616d6573.blogspot.com/2010/02/cms-made-simple-166-file-inclusion.html. They forgot to link to it from the blog post, but the URL is mentioned in the source code.

I diffed the two releases manually and determined that the security fix seems to be in lib/classes/class.module.inc.php only (and there are no other changes to that file). All the remaining changes seem non-critical, so I simply replaced that file with the new version to be safe before deploying the rest of the new release. It has been running on a relatively busy site for about 34 hours, so at least it didn't break anything.

Good luck!

--
Knut Auvor Grythe