Announcing CMSMS 2.2.6 - Come By Chance
Today we are announcing the release of CMS Made Simple 2.2.6, "Come By Chance". Primarily a security release.
Category: General, Releases
Posted: February 17, 2018 by calguy1000
Today we are announcing the release of CMS Made Simple 2.2.6, "Come By Chance".
This is a minor release that addresses a few small security issues in the admin console. The primary issue addressed was ensuring that admin actions were not susceptible to CSRF attacks. Also, we removed a few 'magic' URL parameters that could be used to implement XSS attacks via parameters on URLS for admin requests.
Secondly, a few warnings and notices were corrected, and we modified the SetMessage() and SetError() methods of the module API that handle flash messages across requests. These methods were changed to use session variables instead of request parameters.
This release may break the flash messages on success or error displayed in the admin console by some third party modules still using the older way of generating these messages. The replacement is to use SetMesssage() and SetError() methods of the module class before redirecting. So far we have only detected a few modules that are affected.
Though we will endeavor to resolve known issues of this type in the course of our regular development cycles, particularly when we are replacing or adding functionality in that area, we will not normally take extra effort to respond to reports, or release interim releases resolving issues of this nature that are reported to us.
As usual, the volunteer Dev Team members are only asked to answer questions regarding the last two releases of CMSMS. At this time these are version 2.2.5 and 2.2.6. We encourage you to upgrade your websites as soon as possible.
Many thanks to the community members for helping us spot and fix these issues, and to the Dev Team who have again put in many hours testing, documenting and fixing issues.
Thank you, and have fun with CMSMS.