CMS Made Simple 1.0.6 Released!
Apr 24, 2007 by Ted Kulp
It's been brought to our attention that there is a potential SQL injection bug in stylesheet.php. We were due to release 1.0.6 anyway, but this just made us rush out a release as soon as we were notified.
My suggestion is to update AS SOON AS POSSIBLE. If for some reason you can't then at the very least, replace your stylesheet.php with this file: http://svn.cmsmadesimple.org/svn/cmsmadesimple/tags/version-1.0.6/stylesheet.php.
This flaw has been in the code for awhile, so if anyone has a legacy version and wants to know if they need a patch and how to do it, let us know in IRC or email.
Here is the ChangeLog:
- Fixes a potential SQL injection hole in stylesheet.php - A new installer that uses smarty templates and classes. it doesn't look much better atm, but does have alot more power and is alot cleaner for the future. - Show the footer on tags about and help pages - Fixes to the expression that caused session_start to not always be called. - Fixes for errors in get_template_vars with newer php versions - (important) Fixes a problem where the wrong module could be unloaded from memory if module files had been deleted manually, without explicitly uninstalling the module first. - Fixes to the safe mode tests - Fixes for open_basedir issues in ImageManager - Repeated quick reloads should no longer violate the 'cachable' page property. - Add a download link for the admin log - Fixes for the umask test in global settingsThanks! Sorry for the alarm, but we want to get this resolved as soon as possible.
© Copyright 2007 by CMSMS™ and the posts author(s). All rights reserved.
10 Responses to "CMS Made Simple 1.0.6 Released!"
http://www.massillon.sparcc.org
On: Apr 25, 2007, Cyruse said:
Upgrade worked fine as usual!! Kind of makes for a boring upgrade really, nothing exciting happened, nothing broke everything works, and it took all of three minutes too!
http://cmsmadesimple.org
On: Apr 25, 2007, Ted said:
Sorry to disappoint. We'll try harder to mix it up for you next time. :)
On: Apr 26, 2007, Russ said:
"...- A new installer that uses smarty templates and classes...."
There does not appear to be an install folder in the 1.0.5 - 1.0.6 diff package? Is this correct?
Russ
http://www.ubuntu-it.org
On: Apr 26, 2007, saltydog said:
I was going to miss this! Have you removed RSS-Feed on news??
http://cmsmadesimple.org
On: Apr 26, 2007, Ted said:
@Russ
Correct. There are no database changes, so the diff package just has the changed files. Just upload to your server over the 1.0.5 files and you're good to go.
@saltydog
Get the new rss location. I'm kind of suprirsed that you had a really old one, as I switched to feedburner a LONG time ago and then just switched the feed that feedburner was looking at to the wordpress feed.
On: Apr 26, 2007, Russ said:
Ted, thanks for the information on the 'install folder', but sad to see modform.inc.php still has the name attribute as it will not validate as XHTML 1.0 Strict.
This was a page with the standard Search form on using 1.0.6.
From the validator....
"
You have used the attribute named above in your document, but the document type you are using does not support that attribute for this element. This error is often caused by incorrect use of the "Strict" document type with a document that uses frames (e.g. you must use the "Transitional" document type to get the "target" attribute), or by using vendor proprietary extensions such as "marginheight" (this is usually fixed by using CSS to achieve the desired effect instead)... "
I know that removing it may cause problems with other modules, last time I looked for example the Album, module had problems when editing, but surely there must be a solution?
Russ
http://none
On: Jun 5, 2007, Gintaras said:
Can I upload this on my 1.0.4 version? Won't it damage my current version structure, etc.? And please, correct me: I should run upgrade.php from install dir? thank you.
http://cmsmadesimple.org
On: Jun 5, 2007, Ted said:
@Gintaras: Yes, and yes. :)
On: Jun 7, 2007, Edgariokas said:
to Gintaras: I have several sites on CMS made simple with different versions,
i just uploaded stylesheet.php, but it refers to:
lib/misc.functions.php and
lib/adodb.functions.php,
so i uploaded and those files to. All works fine.
I sveikata. :)
http://www.blogsweek.com/en/cms-made-simple-106-released/
On: Jun 16, 2007, CMS Made Simple 1.0.6 released - BlogsWeek.com said:
[...] For additional information, please read the release announcement. [...]
