Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
And a big thank you again to all the Textpattern devs for being so understanding and responsive :)
Offline
#17 2011-05-26 22:04:57
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Please don’t misunderstand me – I wasn’t making any criticism of the effort made or of the changes. I’m just a bit concerned that in the real world it’s not possible to do software upgrades at the drop of a hat & until then a pre-4.3.0 TXP website is vulnerable.
An .htaccess file, however, would be easy to bang in – as a temporary measure – so is it just a question of password protecting the /textpattern dir?
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Yes, that protects against the arbitrary code execution vulnerability (assuming the attacker doesn’t know the password).
Offline
#19 2011-05-26 22:30:32
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Thanks Neal, it’s much appreciated. I’ll do that before my portfolio of websites is “tested”.
Just as an aside, how about if the TXP admin interface automatically alerted users to things like this?
So when you log in, you get a “for your eyes only” message from the TXP Mothership – something along the lines of “Psst, I’ve noticed a big hole in your trademan’s, so you’d better upgrade sharpish!”
That way:
- we don’t need to have a street party to advertise vulnerabilities
- we can target TXP admin users who don’t lead such sad lives that they check Google Reader before the BBC
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
Damn, the Neal thanked in the commit messages was that Neal, from that blog (nice blog btw). Great findings Neal. Big hug — I mean really manly handshake to you man :)
gomedia wrote:
This is all great stuff but shouldn’t we be careful that we’re not broadcasting a “come & hack me” message with posts like this. After all, it’s easy to find out if a website is running TXP …
Well, the stuff is already publicly available in the public repo (not to overuse word public, hah). I see nothing wrong about discussing most of this. Don’t forget that Neal didn’t reveal the information, but privately reported it to the devs (Robert) which exactly what should have been done.
Offline
Re: [mention] Summary of Recent Textpattern Security Issues (Upgrade to 4.4.0 ASAP!)
There is always a concern when security issues come up over how and when to publicize them. It seems pretty obvious in retrospect that Neal alerted the developers, gave them a chance to work on the problems and get 4.4.0 out, let everyone put it through testing and let all the people who are naturally hesitant to upgrade get a chance to see that things have gone okay, and now Neal has actually released what he has found to give the naturally hesitant another incentive. This is exactly how this sort of thing should work when adults act responsibly.
The fact is, the vulnerabilities were always there and are still there on any pre-4.4.0 install. Hoping that only Neal and the developers know about them can only last so long. If you haven’t upgraded yet, you should. If you get hacked and haven’t upgraded, you probably won’t know if it is the information that was just revealed or an evildoer discovering it independently.
I haven’t installed a non-point release version of Textpattern in years but I fully intend to asap.
p.s. When things calm down a little, perhaps a blog post similar to this one…
Last edited by michaelkpate (2011-05-27 00:10:58)
Offline