Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2012-08-27 06:49:58
- wet
- Developer
- From: Lenzing, Austria
- Registered: 2005-06-06
- Posts: 3,267
- Website
Feedback to: Textpattern 4.5.0 released
Please provide any feedback related to Textpattern 4.5.0 released.
Me | f/rwetzlmayr | Repos
Offline
#2 2012-08-27 08:58:39
- argi
- Plugin Author
- Registered: 2012-06-17
- Posts: 8
- Website
Re: Feedback to: Textpattern 4.5.0 released
A small change in version number, but a giant leap for Textpattern! The biggest thing since the early days of this CMS.
Offline
#3 2012-08-27 11:50:54
- kees-b
- Member
- From: middelburg, nl
- Registered: 2004-03-03
- Posts: 234
- Website
Re: Feedback to: Textpattern 4.5.0 released
Looking very good!
On my textdrive lifetime joyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Thanks for all your good work!
Kees
Offline
#4 2012-08-27 13:06:58
- SuMu
- Member
- From: Germany - Wuppertal
- Registered: 2008-03-06
- Posts: 242
- Website
Re: Feedback to: Textpattern 4.5.0 released
I updated 3 blogs and it seems to work fine so far! :-)
Offline
#5 2012-08-27 13:32:41
- Gocom
- Plugin Author
- From: Helsinki, Finland
- Registered: 2006-07-14
- Posts: 4,533
- Website
Re: Feedback to: Textpattern 4.5.0 released
kees-b wrote:
at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.
Anyways, you should update/recompile PHP tho if it’s missing. Otherwise you get those fatals and JavaScript issues. At least you will not see translation strings in JavaScript based dialogs and such, which is for what json_encode is primarily used for.
Last edited by Gocom (2012-08-27 13:35:49)
Offline
#6 2012-08-27 14:03:30
- colak
- Admin
- From: Cyprus
- Registered: 2004-11-20
- Posts: 8,033
- Website
Re: Feedback to: Textpattern 4.5.0 released
kees-b wrote:
Looking very good!
On my
textdrive lifetimejoyent shared accellerator json is missing, at least at my server kemp.joyent.us which throws up an error at the bottom when logged in: Fatal error: Call to undefined function json_encode()
Hi Kees
It’s fine on north. My high diagnostics read json/1.2.1
> Edit. Updated one of our sites without any visible problems.
I know that this is not the thread for this but are there any plans for an update for postmaster?
Last edited by colak (2012-08-27 14:49:40)
Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.
Offline
#7 2012-08-27 14:56:25
- ruud
- Developer emeritus
- From: a galaxy far far away
- Registered: 2006-06-04
- Posts: 5,068
- Website
Re: Feedback to: Textpattern 4.5.0 released
weblog says:
Textpattern 4.5.0 fixes three XSS security vulnerabilities which would allow maleficent attackers to gain administrative access to the site by tricking a legitimate publisher into clicking on a carefully crafted link. We thank Mauro Gentile, Jonathan Claudius, and Sasha Zivojinovic for their responsible disclosure of these issues. An update is highly recommended.
history.txt says:
Is it possible to get more information about the impact of the various security vulnerabilities, including the ones that are listed under “bug and security fixes”? In which situations is should users upgrade ASAP?
- Security: Admin-side disallows framing, sends “X-Frame-Options: SAMEORIGIN” header.
- Security: The ‘txp_login’ cookie is set with a ‘HttpOnly’ attribute.
- Security: Fixed a persistent XSS vulnerability in Textile discovered by Mauro Gentile.
- Security: Fixed a XSS vulnerability in the setup process discovered by Jonathan Claudius of Trustwave SpiderLabs.
- Security: Fixed a persistent XSS vulnerability in the access log panel discovered by Sasha Zivojinovic.
- Bug and security fixes
- every textpattern install
- only if you have comments enabled
- only if you have multiple authors and don’t really trust them all.
- only if you use RPC?
- … and what is the impact of each of the vulnerabilities (worst case)?
- etc.
I’m asking because I have to upgrade a few TXP installs that are highly customized, but which do not require the new features in TXP 4.5. So if I don’t have to upgrade now for security reasons, I can schedule it for some other time in the future or perhaps even wait for 4.6.
Offline
#8 2012-08-27 15:10:30
- wet
- Developer
- From: Lenzing, Austria
- Registered: 2005-06-06
- Posts: 3,267
- Website
Re: Feedback to: Textpattern 4.5.0 released
You should update if one of these applies:
- Visitor logs are enabled and admin-side users are possibly following the recorded referrer links.
- Comments are enabled and not reviewed for malicious HTML prior to making them public.
- Untrusted authors.
- Textpattern is uploaded into a publicly accessible web location without a completed setup.
We have not had to fix any issues with the RPC server or other components besides Textile, the visitor log panel and the setup procedure.
These are your options if you do not want to upgrade a site to Textpattern 4.5 but gain the security benefits from this release:
- You can use Textile 2.4.1 as a drop-in replacement for older Textpattern installs.
- You are advised to remove the whole setup folder once installation is completed, and of course you are not advised to keep an older uninstalled version of Textpattern lying around in a publicly accessible location.
- You can turn off visitor logs and/or carefully inspect all recorded referrer locations (or just drop them completely).
Me | f/rwetzlmayr | Repos
Offline
#9 2012-08-27 15:40:32
- kees-b
- Member
- From: middelburg, nl
- Registered: 2004-03-03
- Posts: 234
- Website
Re: Feedback to: Textpattern 4.5.0 released
Gocom wrote:
Why would someone compile PHP without JSON. That’s strange as hell, it’s almost guaranteed that something breaks if you do so. Sure there are few exploits for it on its earlier versions for 5.2, but none of those are critical as in allowing injections or arbitrary executions.
From diagnostics:
PHP version: 5.3.5
PHP extensions: Core/5.3.5, date/5.3.5, ereg, libxml, openssl, pcre, sqlite3/0.7-dev, ctype, fileinfo/1.0.5-dev, filter/0.11.0, hash/1.0, SPL/0.2, session, Reflection/$Revision: 305605 $, standard/5.3.5, SimpleXML/0.1, Phar/2.0.1, tokenizer/0.1, xml, xmlreader/0.1, xmlwriter/0.1, cgi-fcgi, gd, iconv, mbstring, mcrypt, mysql/1.0, mysqli/0.1
Very strange indeed – no json.
Ticket sent to joyent support.
-k
Last edited by kees-b (2012-08-27 15:43:26)
Offline
#10 2012-08-27 15:55:59
- colak
- Admin
- From: Cyprus
- Registered: 2004-11-20
- Posts: 8,033
- Website
Re: Feedback to: Textpattern 4.5.0 released
I just did a fresh install and found sbl.spamhaus.org in advance preferences. Doesn’t this always cause problems? Shouldn’t we delete/disable it by default?
Yiannis
——————————
neme.org | hblack.net | LABS | State Machines | NeMe @ github | Covid-19; a resource
I do my best editing after I click on the submit button.
Offline