Textpattern CMS 4.4.1 released: security upgrade

People that sail in the murky waters of the Internet know it has its share of predators looking to train their harpoons on unsuspecting software. Please welcome Textpattern CMS 4.4.1 into dock, which adds some much-needed bolts to the hull entrance.

Textpattern CMS 4.4.1 is immediately available for download and we strongly recommend that you upgrade. This release fixes several further security vulnerabilities that have recently been unearthed.


File download

Single-site install version, Zip format.
File size 484 kB | Created
File download

Multi-site install version, Gzip format.
File size 429 kB | Created

Sea-surf… but we have no beach?!

All versions prior to TXP 4.4.1 were open to CSRF attacks; pronounced sea-surf. While it’s out of scope in this article to discuss what makes up such an attack, it generally works by tricking a logged-in user into clicking something (e.g. an <img> tag which isn’t an actual image). This link secretly accesses something on the admin side using the current logged-in user’s credentials and performs some action—submits an article, deletes something, whatever. If the user in question is an admin, the potential for damage is high.

To combat this, we now use unique tokens passed in each admin-side form and AJAX request to ensure that the request originated on the admin side from the correct form. Any jiggery pokery results in failure for the attacker and a typically TXPish message.

This release also introduces a new security privilege image.create.trusted which prohibits untrusted users from uploading SWF images to the Images tab.

Boogie boards for developers

Plugin authors can take advantage of the new token system in their plugins through use of the exposed API functions:

  • bouncer()
  • form_token()
  • tInput()

Check the source code for usage. The other common API functions for generating forms and links have also been upgraded so any plugins that use these functions are automatically protected.

And for those that just snorkel

The latest jQuery 1.6.1 is included with this release, Textile, phpass and timezone-related warnings have been addressed, spellchecking support in textareas has been improved, the ‘Install Textpack’ box has been tweaked, and the <txp:file_download_size /> tag has been fixed and improved from an i18n and l10n standpoint. Translators please note that a host of new strings have been added to cater for the size units (units_b for bytes, units_k for kilobytes, and so on).

Up periscope

While this release may not seem like a huge deal from the surface, don’t let looks fool you: upgrades are highly recommended to keep your Textpattern sites safe from Internet-based submarines and script kiddie torpedoes.

Thanks yet again to Neal Poole for his diligent efforts at exposing the weaknesses in the CMS and reporting them to us in such detail that allowed Robert (wet) to fix them in a very short time frame.

So hoist the sails and enjoy this fine release inside the far less sinkable HMS Textpattern.


  1. Thank you, guys, for crushing the icebergs :)

  2. Updated. No problems. Congratulations to the dev team.

  3. Thanks!

  4. Does the .htaccess file in root of Textpattern have something updated or can I just skip from uploading that to the server? (I’ve tweaked the .htaccess and wouldn’t like to break custom stuff.)

  5. On one of my sites all the admin-side menus that are opened by clicking a link won’t work at all. So at the moment I can’t set an image to article, edit meta information or modify the publishing time of an article. Any ideas how to fix this?

  6. Thanks!

  7. Update for my previous comment: Menu links seems to work fine now. The problem might have been simply because Firefox wanted to be restarted. :-)

  8. I’ve just updated. Everything went smoothly. Cheers Stef and team!

  9. Many thanks to Stef and the rest of the TXP dev team. It’s still my CMS of choice for most projects, and very pleased to see it continue to develop.

  10. I would like to donate to experts who patch Textpattern security vulnerabilities. How can I do that?

    P.S. I still remember the good old happy days when the Security related section on the Textpattern home page stated that there were no known vulnerabilities in the software.

  11. So how exactly is password hashing implemented right now? Is it like SHA256?

  12. Sorry, typo. Is it like SHA256 (SALT + PASSWORD)?

  13. Good Luck!

Commenting has expired for this article.