CMSMS Blog
Blog Categories
- General (113)
- Modules (1)
- Releases (70)
- Events (24)
- Sites (1)
- Community (25)
- Geek (10)
- Announcements (52)
- Tutorials (3)
Modules and Security
Posted January 19, 2007 by signex
Yesterday I made an entry about CMSMS getting bigger and having a fair amount of users. Now, there is also a downside to this. Getting more attention will also attract hackers, knowing when they can get into one CMSMS website they can get into a lot more. However, the development of the core is done by a of couple great developers. I don't think the CMS Made Simple core would get into a lot of problems when getting bigger and having more users. Also, they would be releasing patches quickly when serious security holes would occur. But how about the modules? And I'm not talking about the much used modules as they will grow and get updated with the core system because so many people use them. But the more unknown modules which don't get updated very often. Those modules will probably cause potential security risks in the future, since scripting never stands still and new vulnerabilities get discovered every now and then. Now we all know that using GPL/Open source software comes without warranties, and using it is at your own risk, but when old modules get security issues CMSMS gets blamed, or at least associated with the vulnerability. This is kinda the way Joomla got his bad name in my opinion. Joomla as a clean install combined with decent chmodding is pretty safe, but with so many 3rd party modules its hard to keep track of what's safe to use and what's not, maybe not for the hardcore coders between us but it is for many others. So what would be a good way to "protect users" against the risk of using older not updated modules? Maybe a new module category in the forge called "Not updated in the last 12 months - could have potential security risks and/or isn't compatible with new core systems" and automatically put all the modules in there which have not been updated in the last 12 months. I'm really interested in how other people think about the module security. Am I just paranoid or could these thoughts be potential ideas? Drop your thoughts in the comments! Regards Signex / Benjamin
CMS Made Simple 1.0.3 Released!
Posted January 18, 2007 by Ted Kulp
Yes, it's incredibly overdue, but it's finally released. This is basically just a bugfix and security release. It's released in both the full download version, and also a diff installation that you can overwrite an existing 1.0.2 installation with only changed files. The security issues were not major by any means, but it's still good to patch XSS issues. The ones we had were non-permanent and didn't cause any damage to your site, but they still needed addressing. The changelog goes as follows...
Version 1.0.3 "Kauai" -- Jan 18 2007 ----------------- - Fixed several non-permenant XSS vulnerabilities - Fixed issue with breadcrumbs plugin displaying root node multiple times - Fixed issue with multiple events being entered - Removed global references to $db from the admin and include.php - Added a "Modify Events" permission - Added event for "Change Group Permissions" - Added ability to select a file for the Link content type - Added ability to specify default boilerplate page content - Fixed print plugin output so that it's xhtml compliant - Added text direction to languages for suppot of languages like Hebrew and Arabic - Fixed issue where 2 installs on the same domain shared login sessions - Fixed issue with contact form with pretty_urls turned on - Fixed issue with LoadStylesheets() not loading the modified date - Changed search schema layout. Now allows for expiration dates on entries - Changed the icon for global content so that it doesn't look like the Gentoo logo - Fixed issue with expanding content in the content list when user didn't have the Add Page perission - Added catpcha module support to the contact_form plugin (you still need to manually install the Captcha module for this to work) - Added messages when admin log is cleared - Much much moreEnjoy!
CMS Made Simple is definitely growing up.
Posted January 18, 2007 by signex
Browsing thru the development part of the CMS Made Simple website yesterday I noticed that there are almost 100.000 downloads of the CMS Made Simple Core. With the release of 1.0.3 It cant take long before it reaches this magical number. With the plans of CMSMS 2.0 coming with all the nice new features it can only get better. Off course it will take a long time before stable 2.0 series will be released but I cant wait for the first beta's to be released. So I would like to take this first blog entry for me as an opportunity to congratulate all the people that supported CMS Made Simple, whether that is with development, time in the forums, donating or just by using it. More serious entries will follow soon! Regards, Signex / Benjamin
CMSMS 1.0.2 Speed Issues
Posted January 18, 2007 by 3dcandy
Hi all, It has come to my attention that one of the biggest topics on the forum regarding CMSMS is a speed issue. Although 2.0 will have a page caching feature, 1.0.2 can suffer sometimes from slow page loads. To combat this, you should try uninstalling and deleting all unnecessary modules that you have in your setup. This can quite often lead to a nice speedup! Don't forget that custom tags that are installed can slowdown page loads and also unused translations... In the meantime, there is also a tag available which replaces the current content tag with ccontent. This caches the content and has resulted in a nice speedup on the sites I have tested it on. Thanks to cyberman for this! To download the cache tags, please goto http://dev.cmsmadesimple.org/projects/cache/ Bear in mind that you will have to alter the template and/or stylesheet that your site uses to make the cache tags work! Right then, till the release of 2.0, bear these points in mind to keep your site nice and responsive... Regards Ade (3dcandy)