CMS Made Simple 1.5 “Puerto Rico”

[Ted]

Cross-posted from http://is.gd/9OKG

I’m very happy to announce the release of CMS Made Simple 1.5. Calguy and crew have done an amazing job keeping the CMSMS core chugging along and getting more stable and feature rich. Unless you’re totally locked into an older version, I recommend upgrading your site as soon as possible.

Some key points from the changelog:

A new notification system in the admin
A new dashboard page in the admin
The ability to copy content pages has been added
More bulk actions have been added to the list content page
Numerous improvements to the installer
Apply buttons on GCB’s and UDT’s
TinyMCE changes: Updated to latest Tiny-core
Extensive modifications were made to add a session key to each and every
URL in the admin console. This prevents a medium level cross site scripting
vulnerability
Much, much more
As always, check out the full changelog for details on what has changed.

For a concise description on upgrading, take a look here.

Downloads for 1.5 can be found here.

Thanks again to all the CMSMS team: devs, translators and testers alike. You all seriously rock and here’s to another fine release.

[calguy1000]

If you are experiencing problems when using certain modules, and having them 'log you out'... this probably means that the module wasn't behaving nicely, and is now not compaitlbe with CMS 1.5

Do to a potential medium level cross site scripting vulnerability, every URL generated in the CMS admin section has a security key in it.  This security key is generated on login, and has to be in every single form or link.

If you're using a module that doesn't use the standard api for creating forms or links, it will not work with CMS 1.5+.  Hopefully there aren't much of these (and I really hope none of them are mine  ).

I suggest you do a complete backup of your entire site before upgrading (I know I don't have to mention this you already diligently backup your site every night (cough)).  Then test (hopefully in a seperate location) to see if you are going to have difficulties.

Therefore I suggest you contact the module author to urge him to correct his module.

[duclet]

I am looking at this code and I don't see how this security key is helping. The code is setting the security key to session from the cookie if it doesn't have it from session (which I would assume a hacker can do this). Assuming that, the hacker then can just simply add in a cookie for the CMS_SECURE_PARAM_NAME to lets say, "abc". Then just append to the URL CMS_SECURE_PARAM_NAME=abc and he has gotten the security level back to what it was previously. Obviously this is me just quickly looking over the code and I haven't look at everything yet so I might be missing something but this seems more like security by just making the hacker do a few extra steps. Feel free to correct me because if I am wrong, I would really like to know why as I am very curious.

[calguy1000]

we're not reading the security key from a cookie.... just from the session.

[duclet]

Oh, but you are:

Code: Select all

        if( !isset($_SESSION[CMS_USER_KEY]) )
          {
        // it's not in the session, try to grab something from cookies
        if( isset($_COOKIE[CMS_SECURE_PARAM_NAME]) )
          {
            $_SESSION[CMS_USER_KEY] = $_COOKIE[CMS_SECURE_PARAM_NAME];
          }
          }

Of course you don't read from the cookie unless the session isn't set. However, you are when the session doesn't exist which I believe a hacker can unset a session as when you really think about, a session is just a special case of a cookie.

[JeremyBASS]

(and I really hope none of them are mine   ).

Just noticed that the blog mod may have fallen to this.. I haven't used it much before I updated but I keep getting "internet explore ... blaa.. we know" and if I hit refresh I get this

Fatal error: Call to a member function GetFriendlyName() on a non-object in /home/content/t/y/d/jeredsfeebasdf43/html/admin/moduleinterface.php on line 124

seems to happen when ever I submit...

One quick thought since I'm specking of the blog... may-be we can add a comment from the admin side... and since you said , I think, that blogs was based of news.. the multy template like news has would be nice ... well I know wordpress would go down.. yeah down.. well ok may-be a little more power would be needed but yeah down baby down... lol...

anyways... Just thought I'd tell you about the error..


Keep up the good work...


@ duclet -  for what it's worth ... When you really think about it a real hacker can only have steps thrown at him to make it harder... there is nothing we have to 100% protect what we server to people, may-be pulling the cat 6 cable.. think about it.. the hole we send stuff out... is the hole they come in..

[SimonSchaufi]

If the key comes from the session, why do you need to add the key as well in the URL???

I found a bug in the Core as well: If you are in the User Preferences and click Cancel, you are redirected to the Login screen

[hhm]

Any reason why the contact_form plugin has been removed / disabled????

And what's the (best) alternative..?

[alby]

Any reason why the contact_form plugin has been removed / disabled????

And what's the (best) alternative..?

Use FormBuilder module.
It has already a contact form

Alby

[hhm]

Ok, thanks...

[Ted]

The URL has to match what's in the session or cookie.  You have to understand the problem...

Because of your login being saved, someone could devise a URL that could trigger functionality in your admin.  So you click a link outside of your admin and it's a phishing type link that deletes a page in your admin (yes, it's possible).  By making sure the link matches the session, we can be sure that outside sources can't just generate stuff.

Is it a slim possibility?  Probably.  But it's still possible.

Anyway, we tested and confirmed that an outside site can't manipulate a cookie from another site.  A browser allowing that would be full of fail -- so even storing the session id in a cookie shouldn't matter.  As long as the URL and cookie/session match, then you know the link is valid.

Lots of web frameworks are including this feature as well... we're just doing our part for net safety. 

[SimonSchaufi]

this was a very clear answer (even though i dont know how it works )! thanx ted!

[duclet]

Okay, sounds reasonable. Personally I still have doubts about it but if others have tested and confirmed that it works, who am I to argue?

[minneapolis_dan]

So getting logged out of the admin all the time with 1.5 and 1.5.1, it's related to modules, is that consensus? Just having them in there affects all admin sections? Is anyone else getting logged out all the time, outside of a specific module section?

I'm just trying to determine if it's the host (Network Solutions) or the latest version 1.5. I'm afraid I'm not very helpful in troubleshooting this, just looking for an answer. 

[duclet]

There was a code change to 1.5 that requires a security key to be added to the URL of all links within the admin section. This of course would break any links (which many modules has) from working at it redirects to the login page. So in essence, it isn't your host but the update to CMSMS. I am sure most developers, myself included, are updating our modules links where necessary. As to other parts of the site, I haven't digg in too deep to know.