Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-08-27 06:49:58

wet
Developer
From: Lenzing, Austria
Registered: 2005-06-06
Posts: 3,267
Website

Feedback to: Textpattern 4.5.0 released

Please provide any feedback related to Textpattern 4.5.0 released.

Offline

#2 2012-08-27 08:58:39

argi
Plugin Author
Registered: 2012-06-17
Posts: 8
Website

Re: Feedback to: Textpattern 4.5.0 released

A small change in version number, but a giant leap for Textpattern! The biggest thing since the early days of this CMS.

Offline

#3 2012-08-27 11:50:54

kees-b
Member
From: middelburg, nl
Registered: 2004-03-03
Posts: 234
Website

Re: Feedback to: Textpattern 4.5.0 released

Looking very good!

On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Thanks for all your good work!

Kees

Offline

#4 2012-08-27 13:06:58

SuMu
Member
From: Germany - Wuppertal
Registered: 2008-03-06
Posts: 242
Website

Re: Feedback to: Textpattern 4.5.0 released

I updated 3 blogs and it seems to work fine so far! :-)


viele Grüße
SuMu

Psychomuell + blogZicke

Offline

#5 2012-08-27 13:32:41

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,532
Website

Re: Feedback to: Textpattern 4.5.0 released

kees-b wrote:

at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.

Anyways, you should update/recompile PHP tho if it’s missing. Otherwise you get those fatals and JavaScript issues. At least you will not see translation strings in JavaScript based dialogs and such, which is for what json_encode is primarily used for.

Last edited by Gocom (2012-08-27 13:35:49)

Offline

#6 2012-08-27 14:03:30

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,288
Website

Re: Feedback to: Textpattern 4.5.0 released

kees-b wrote:

Looking very good!

On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()

Hi Kees

It’s fine on north. My high diagnostics read json/1.2.1

> Edit. Updated one of our sites without any visible problems.

I know that this is not the thread for this but are there any plans for an update for postmaster?

Last edited by colak (2012-08-27 14:49:40)


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

#7 2012-08-27 14:56:25

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Feedback to: Textpattern 4.5.0 released

weblog says:

Textpattern 4.5.0 fixes three XSS security vulnerabilities which would allow maleficent attackers to gain administrative access to the site by tricking a legitimate publisher into clicking on a carefully crafted link. We thank Mauro Gentile, Jonathan Claudius, and Sasha Zivojinovic for their responsible disclosure of these issues. An update is highly recommended.

history.txt says:

  • Security: Admin-side disallows framing, sends “X-Frame-Options: SAMEORIGIN” header.
  • Security: The ‘txp_login’ cookie is set with a ‘HttpOnly’ attribute.
  • Security: Fixed a persistent XSS vulnerability in Textile discovered by Mauro Gentile.
  • Security: Fixed a XSS vulnerability in the setup process discovered by Jonathan Claudius of Trustwave SpiderLabs.
  • Security: Fixed a persistent XSS vulnerability in the access log panel discovered by Sasha Zivojinovic.
  • Bug and security fixes

Is it possible to get more information about the impact of the various security vulnerabilities, including the ones that are listed under “bug and security fixes”? In which situations is should users upgrade ASAP?
  • every textpattern install
  • only if you have comments enabled
  • only if you have multiple authors and don’t really trust them all.
  • only if you use RPC?
  • … and what is the impact of each of the vulnerabilities (worst case)?
  • etc.

I’m asking because I have to upgrade a few TXP installs that are highly customized, but which do not require the new features in TXP 4.5. So if I don’t have to upgrade now for security reasons, I can schedule it for some other time in the future or perhaps even wait for 4.6.

Offline

#8 2012-08-27 15:10:30

wet
Developer
From: Lenzing, Austria
Registered: 2005-06-06
Posts: 3,267
Website

Re: Feedback to: Textpattern 4.5.0 released

You should update if one of these applies:

  • Visitor logs are enabled and admin-side users are possibly following the recorded referrer links.
  • Comments are enabled and not reviewed for malicious HTML prior to making them public.
  • Untrusted authors.
  • Textpattern is uploaded into a publicly accessible web location without a completed setup.

We have not had to fix any issues with the RPC server or other components besides Textile, the visitor log panel and the setup procedure.

These are your options if you do not want to upgrade a site to Textpattern 4.5 but gain the security benefits from this release:

  • You can use Textile 2.4.1 as a drop-in replacement for older Textpattern installs.
  • You are advised to remove the whole setup folder once installation is completed, and of course you are not advised to keep an older uninstalled version of Textpattern lying around in a publicly accessible location.
  • You can turn off visitor logs and/or carefully inspect all recorded referrer locations (or just drop them completely).

Offline

#9 2012-08-27 15:40:32

kees-b
Member
From: middelburg, nl
Registered: 2004-03-03
Posts: 234
Website

Re: Feedback to: Textpattern 4.5.0 released

Gocom wrote:

Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.

From diagnostics:

PHP version: 5.3.5

PHP extensions: Core/5.3.5, date/5.3.5, ereg, libxml, openssl, pcre, sqlite3/0.7-dev, ctype, fileinfo/1.0.5-dev, filter/0.11.0, hash/1.0, SPL/0.2, session, Reflection/$Revision: 305605 $, standard/5.3.5, SimpleXML/0.1, Phar/2.0.1, tokenizer/0.1, xml, xmlreader/0.1, xmlwriter/0.1, cgi-fcgi, gd, iconv, mbstring, mcrypt, mysql/1.0, mysqli/0.1

Very strange indeed – no json.

Ticket sent to joyent support.

-k

Last edited by kees-b (2012-08-27 15:43:26)

Offline

#10 2012-08-27 15:55:59

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 7,288
Website

Re: Feedback to: Textpattern 4.5.0 released

I just did a fresh install and found sbl.spamhaus.org in advance preferences. Doesn’t this always cause problems? Shouldn’t we delete/disable it by default?


Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | Respbublika! | NeMe @ github

Offline

Board footer

Powered by FluxBB