CMS Made Simple Forums

One of the open issues we're working on is the potential (medium threat) XSS opportunity in the admin interface of CMS.

We had an online development team meeting yesterday where we discussed this vulnerability, and the proper solution, and how/who will implement it.

Unfortunately, the implementation involves modifications to each and every form and link in the admin section.  This will take a bit of time to finish... though there are four or five of us working on it so it shouldn't be too long.  I'll crack the whip and get them going

Beta testing will be critical on this release, as we have had to modify just about everything in the admin to fix this problem.  The more beta testers we can arrange the better.

As well, though most modules should work just fine without modification, some badly behaved or badly implemented modules may not be compatible with CMS version 1.5... I don't know which modules (if any) these are.  and no, we will not support them or fix them just because they may now be broken.  It will be up to the module developer(s) to fix these problems and release a new version.

Just thought I'd keep you informed.

Fixing of the XSS : VERY good news. Thx. It is worth the delay.

About the break of "badly behaved or badly implemented" modules : I like it, it is natural selection in evolution Modules are either (maintained and 1.5 compatible) OR (unmaintained and shouldn't be deployed).

Pierre M.

I agree with you, Pierre. It's a great way to weed out the "old stuff".

Nullig

calguy1000 wrote:
    i)  The ability to copy content pages
 

Thanks, that one is very welcome. I really expected to wait for 2.0 to see this implemented.

Now, if only the Edit Content preview could display all content blocks...  ;)

Yep Pierre, great way to filter out 'unwanted' material. This increases the level of confidence of the modules that will remain.

I didn't know what XSS stood for, while researching I found the following:
http://www.cgisecurity.com/articles/xss-faq.shtml.
From this overview I learned that modules that use cookies are furnerable. For those reading this and have it installed, the module Cart Made Simple is one of them.
Just a warning from my side to be careful with using it (more serious: I am not to be blamed if something happens -> see the helptext of the module).

Once there is a 'common'/'standard' thought on how this is to be handled the cookie using modules are to be upgraded.

Duketown

@Duketown : about the XSS vulnerability the DevTeam is working on, see http://forum.cmsmadesimple.org/index.ph ... 827.0.html. May be another one, but I hope this information can help you maintain your modules.

Pierre

Stay tuned!!!

CMS Made Simple 1.5 will probably come out tomorrow (November 3)... barring alpha testers finding something new.

calguy1000 wrote: Stay tuned!!!

CMS Made Simple 1.5 will probably come out tomorrow (November 3)... barring alpha testers finding something new.

And by "come out", he means a beta.

Just clarifying.