Corrected Security Patches released for v2.1.4, v2.2.3, and v2.3.1

Thursday, November 13, 2014 Tags: patch, release, bugs

(Updated Patches are available for download - you may also pull from the 'master' repository!) After a number of false starts, we've finally fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:

  • !!! Fixes cross-site security issue

The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

v2.3.1patch4 fixes these issues in v2.3.1:

  • !!! Fixes cross-site security issue
  • Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
  • Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
  • Fixes issue with possible mangled meta tags (due to bad user input)
  • Fixes issue where message queue wasn't always displayed
  • Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
  • Fixes shipping/billing calculator upgrade script to run on all upgrades
  • Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
  • Adds comment to .htaccess file to help with issues running from subfolder
  • Fixes bad refs for .htaccess error documents
  • Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
  • Fix display of showlogin view for bootstrap3
  • Fixes bad closing tag on new 'message' smarty function
  • Fixes issue where MOTD item allowed setting of 'any month' was not allowed
  • Fixes expSession to deal with mangled $user session variable
  • Fixes expUtil::browser() method to work w/ php v5.2.1
  • Fix for possible database manager write error reporting 'Invalid CSRF token'
  • More graceful exit from an upgrade if the database is down
  • Fixes styling of DataTables Tabletools for non-bootstrap views
  • Now allows sorting by 'is admin' for manage user view
  • Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager 

Please do NOT install v2.3.1 Patch #1/#2/#3, v2.2.3 Patch #6/#7/#8, nor v2.1.4 Patch #3/#4/#5!  They may cause WYSIWYG text to become garbled when saving (on a server with php versions less than v5.4.0 with 'magic quotes' turned on), and would strip scripts when saving a Code Snippet module.  We have recently released a universal (server) fix for these versions.