Textpattern CMS 4.4.0 released: focus on security ­ Weblog ­ Textpattern CMS

Saturday 26 March 2011 by Stef Dawson

Textpattern CMS 4.4.0 is immediately available for download and we strongly recommend that you upgrade. This release fixes several important security vulnerabilities that have recently been discovered. We advise that you are fully logged out of TXP before commencing this upgrade.

• textpattern-4.4.0.tar.gz
• textpattern-4.4.0.zip

Bouncer at the door

If you are running an Apache web server, rename the .htaccess-dist file in the /files directory to .htaccess to prohibit direct URL access to your files. Thus the only route to these files becomes through /file_download. We recommend you consider employing this feature or — if you are running a non-Apache web host or simply want to be extra cautious — that you move your /files directory out of a web-accessible location. Once moved, you can tell Textpattern of your new directory location from Advanced Prefs.

If your name’s not down you’re not coming in

Previously, people with privileges set to ‘None’ could log in and just not see anything — Restricted area — for every tab. Now they are not even permitted entry.

One of TXP’s functions was susceptible to being called without enforcing proper user permissions. There were also a few places in the code where the user name and some page names were not properly escaped so obscure names with odd characters in them could cause errors. These issues have all now been closed.

Even though we have tightened security in this release, we do urge you to review your user accounts and make sure that current and future users are only granted sufficient privileges to perform their assigned administration role(s). Every account is a potential entry point for any system, and Textpattern is no different: reduce your attack surface by granting lower permissions first and only elevating them after rigorous consideration.

In other words: traffic might need to flow both ways on Trust Street, but there’s no harm in giving TXP priority over oncoming vehicles :-)

What’s the password?

We have relied on MySQL’s password function for a long time now. MySQL themselves do not recommend this and, moving forward to TXP 5, our goal is to open up the avenue for using other databases, so to rely on MySQL is counter to this philosophy. We have therefore taken the step of implementing phpass from this point forward.

This has the implication that passwords are now case sensitive. Your existing passwords will be upgraded to phpass automatically on first login. Again, we strongly recommend that you are fully logged out of TXP before commencing the upgrade so that your account is treated to the upgrade when you log back in.

After upgrade, remember that existing accounts will only be migrated to phpass on that user’s successful login so, until then, they will still be using MySQL passwords. Please advise your less frequent users to log in as soon as possible.

One other password-related improvement: programmers may now call txp_validate() with an extra parameter signifying if you are “just testing” the password or “actually logging in”. This allows you to write code to check passwords using the built-in function without triggering a login.

On guard

This release also mops up some bits and pieces that snuck into 4.3.0. Namely:

• a few places that still used deprecated attributes, mostly in the tag builder
• some Textile security fixes
• a bug in <txp:variable /> when dealing with empty values
• search engines shouldn’t index ‘Nice try’ messages any more
• messy mode context and get_pref() bugs squashed

jQuery has also been upgraded to 1.5.1.

We are indebted to Neal Poole for highlighting the security implications in the previous release; without his well-presented advice and hard work we wouldn’t have been able to improve things so quickly. Thank you.

So without any further ado, please take the time to upgrade your sites to TXP 4.4.0 and enjoy another fine release in the Textpattern family.