Announcing CMSMS 2.2.6 - Come By Chance

Announcing CMSMS 2.2.6 - Come By Chance

Today we are announcing the release of CMS Made Simple 2.2.6, "Come By Chance". Primarily a security release.

Category: General, Releases
Posted: February 17, 2018 by calguy1000

Hello Everybody.

Today we are announcing the release of CMS Made Simple 2.2.6, "Come By Chance".

This is a minor release that addresses a few small security issues in the admin console. The primary issue addressed was ensuring that admin actions were not susceptible to CSRF attacks. Also, we removed a few 'magic' URL parameters that could be used to implement XSS attacks via parameters on URLS for admin requests.

Secondly, a few warnings and notices were corrected, and we modified the SetMessage() and SetError() methods of the module API that handle flash messages across requests. These methods were changed to use session variables instead of request parameters.

This release may break the flash messages on success or error displayed in the admin console by some third party modules still using the older way of generating these messages. The replacement is to use SetMesssage() and SetError() methods of the module class before redirecting. So far we have only detected a few modules that are affected.

At this time we would like to remind the user community of our stance about low-priority security vulnerabilities in the admin panel: It is in the nature of CMSMS that most administrators can edit HTML and javascript for the front-facing web application. This gives most administrators the ability to attack the customers and visitors to the application. We consider it a low-priority issue if an authorized administrator can attack the other administrators. Almost every other bug or feature request is more important.

Though we will endeavor to resolve known issues of this type in the course of our regular development cycles, particularly when we are replacing or adding functionality in that area, we will not normally take extra effort to respond to reports, or release interim releases resolving issues of this nature that are reported to us.

As usual, the volunteer Dev Team members are only asked to answer questions regarding the last two releases of CMSMS. At this time these are version 2.2.5 and 2.2.6. We encourage you to upgrade your websites as soon as possible.

Many thanks to the community members for helping us spot and fix these issues, and to the Dev Team who have again put in many hours testing, documenting and fixing issues.

Thank you, and have fun with CMSMS.

Our Partners:
Themeisle EasyThemes