Textpattern CMS 4.4.1 released: security upgrade
Saturday 18 June 2011 by
People that sail in the murky waters of the Internet know it has its share of predators looking to train their harpoons on unsuspecting software. Please welcome Textpattern CMS 4.4.1 into dock, which adds some much-needed bolts to the hull entrance.
Textpattern CMS 4.4.1 is immediately available for download and we strongly recommend that you upgrade. This release fixes several further security vulnerabilities that have recently been unearthed.
Sea-surf… but we have no beach?!
All versions prior to TXP 4.4.1 were open to CSRF attacks; pronounced sea-surf. While it’s out of scope in this article to discuss what makes up such an attack, it generally works by tricking a logged-in user into clicking something (e.g. an
<img> tag which isn’t an actual image). This link secretly accesses something on the admin side using the current logged-in user’s credentials and performs some action — submits an article, deletes something, whatever. If the user in question is an admin, the potential for damage is high.
To combat this, we now use unique tokens passed in each admin-side form and AJAX request to ensure that the request originated on the admin side from the correct form. Any jiggery pokery results in failure for the attacker and a typically TXPish message.
This release also introduces a new security privilege
image.create.trusted which prohibits untrusted users from uploading SWF images to the Images tab.
Boogie boards for developers
Plugin authors can take advantage of the new token system in their plugins through use of the exposed API functions:
Check the source code for usage. The other common API functions for generating forms and links have also been upgraded so any plugins that use these functions are automatically protected.
And for those that just snorkel
The latest jQuery 1.6.1 is included with this release, Textile, phpass and timezone-related warnings have been addressed, spellchecking support in textareas has been improved, the Install Textpack box has been tweaked, and the
<txp:file_download_size /> tag has been fixed and improved from an i18n and l10n standpoint. Translators please note that a host of new strings have been added to cater for the size units (
units_b for bytes,
units_k for kilobytes, and so on).
While this release may not seem like a huge deal from the surface, don’t let looks fool you: upgrades are highly recommended to keep your Textpattern sites safe from Internet-based submarines and script kiddie torpedoes.
Thanks yet again to Neal Poole for his diligent efforts at exposing the weaknesses in the CMS and reporting them to us in such detail that allowed Robert (wet) to fix them in a very short time frame.
So hoist the sails and enjoy this fine release inside the far less sinkable HMS Textpattern.