CRITICAL SECURITY RELEASE
Hello people.
Today we announce the release of CMS Made Simple version 2.2.1 "Hearts Desire". Not only does this release fix a few important issues detected with the 2.2 release, but it addresses a CRITICAL security issue that was detected for all 2.x releases. We request that you upgrade your CMSMS installations as soon as possible.
Specifically:
1. Fixed an issue where a compiled string template could be provided to many modules that directly execute PHP code without going through the Smarty security policy.
2. debug_to_log() is no longer a permitted php function to call within templates.
3. Fixed an issue where MicroTiny failed to initialize.
4. Fixed an issue in the database abstraction library when using nested transactions
5. Fixed an issue with the smarty plugin loading mechanism for plugins that use the smarty_cms_function_foo naming standard.
6. After an upgrade, ensure that the config.php has read-only permissions
7. On upgrade, move all remaining plugins (should only be third party plugins) from /plugins to /assets/plugins
Again, we consider the security vulnerabilities to be CRITICAL and request that you upgrade your sites as soon as possible.
Many thanks to Daniel Le Gall from SCRT SA, Switzerland for reporting this vulnerability. His skills and professionalism certainly assisted in our understanding, reproducing and resolving the vulnerability quickly and easily.
We apologize for the inconvenience and thank you for your cooperation.
Announcing CMSMS 2.2.1 - Hearts Desire
-
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Announcing CMSMS 2.2.1 - Hearts Desire
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.