Corrected Security Patches released for v2.1.4, v2.2.3, and v2.3.1
(Updated Patches are available for download - you may also pull from the 'master' repository!) After a number of false starts, we've finally fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
- !!! Fixes cross-site security issue
The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.
In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.
v2.3.1patch4 fixes these issues in v2.3.1:
- !!! Fixes cross-site security issue
- Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
- Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
- Fixes issue with possible mangled meta tags (due to bad user input)
- Fixes issue where message queue wasn't always displayed
- Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
- Fixes shipping/billing calculator upgrade script to run on all upgrades
- Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
- Adds comment to .htaccess file to help with issues running from subfolder
- Fixes bad refs for .htaccess error documents
- Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
- Fix display of showlogin view for bootstrap3
- Fixes bad closing tag on new 'message' smarty function
- Fixes issue where MOTD item allowed setting of 'any month' was not allowed
- Fixes expSession to deal with mangled $user session variable
- Fixes expUtil::browser() method to work w/ php v5.2.1
- Fix for possible database manager write error reporting 'Invalid CSRF token'
- More graceful exit from an upgrade if the database is down
- Fixes styling of DataTables Tabletools for non-bootstrap views
- Now allows sorting by 'is admin' for manage user view
- Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager
Please do NOT install v2.3.1 Patch #1/#2/#3, v2.2.3 Patch #6/#7/#8, nor v2.1.4 Patch #3/#4/#5! They may cause WYSIWYG text to become garbled when saving (on a server with php versions less than v5.4.0 with 'magic quotes' turned on), and would strip scripts when saving a Code Snippet module. We have recently released a universal (server) fix for these versions.