The diligent Textpattern CMS community are always testing our content management system, not only for its feature set but for its robustness and security. The Textpattern development team prefer to receive security and vulnerability notifications through our official security@textpattern.com contact channel so we can acknowledge the enquiry, investigate the report, and subsequently update Textpattern if required. This route is preferable to immediate public disclosure, which carries the inherent risk of potentially compromising existing users in a zero-day scenario. For further details on reporting security issues in Textpattern, please refer to our security policy.
We thoroughly appreciate every effort in providing us with the details of security vulnerabilities, and actively encourage responsible disclosure.
Security concerns not considered to be exploits
There are some types of exploit that we do not classify as such because of the nature of the product. We have outlined them below, and this article will be updated from time to time.
- Article content can include XSS payload
- Links can be created and followed
- Malicious files may be uploaded to Textpattern
Firstly, it is important to understand that:
Textpattern is a content management system suited to help authors write articles for the web. These articles may contain HTML, CSS, and JavaScript. Textpattern uses a tried-and-tested, multi-level user privilege system to ensure that no unauthorized or untrusted author is able to publish arbitrary content in the context of the managed site.
Textpattern articles can also include PHP code, but only if the site administrator chooses to enable this feature on a sitewide basis. This feature is disabled by default. HTML, CSS and JavaScript content is permitted in any Textpattern article.
1. Article content can include XSS payload
A proof of concept (PoC) for this type of exploit requires the author to have at least Staff Writer privileges. Author privileges are assigned by the site’s administrator exercising their “Publisher” or “Managing Editor” capacity. Administrators are advised not to assign “Staff Writer” privileges to untrusted authors but rather constrain them to the more restricted “Freelancer” privilege level.
Thus, we do not consider the ability for such users to craft malicious content inside an article – and have that content display when viewed – as an exploitable vulnerability. The ability to publish content of varying MIME types for the web, while exerting strict user privilege constraints, is one of Textpattern’s core features. It is implicit that the site administrator trusts such users to compose valid, error-free content for publication.
Should a user violate this trust, an administrator can immediately lower or revoke their permissions, preventing them from publishing further. Existing articles and/or associated files, images and links can also be purged.
2. Links can be created and followed
When logged in as a user with Copy Editor privileges or higher, a link can be crafted from the Content->Links panel that contains executable JavaScript or a link to third-party, potentially questionable endpoints.
As above, the ability for content publishers to create links is a trusted action by site administrators. It is not considered a vulnerability, but a core feature. Any content author who violates this trust bond may have their access rights reduced or revoked at the discretion of the site administrator, and affected articles – along with the associated links – can be removed.
3. Malicious files may be uploaded to Textpattern
From the Content->Files panel, it is possible for users with Staff Writer privileges or higher to upload files that may be served to site visitors or downloaded by other administrators.
The ability to upload files is a privilege granted by site administrators to trusted members of their site or content team. It is not considered a vulnerability, but a core feature to allow authors to upload and attach files for public consumption. Any content author who violates this trust and uploads malicious or harmful content may have their access rights reduced or revoked by a site administrator. Associated files can be removed.
Further security considerations
Textpattern is a secure platform upon which to build your websites or applications, and efforts are made to ensure that it resists attacks from vectors that affect many PHP/MySQL systems. Parts of Textpattern’s core code are accessible to plugin authors and theme developers so they may augment or alter functionality to enhance or customize its power. Textpattern plugin code is available to be inspected prior to installation so administrators can verify and/or audit its suitability prior to installing. Plugin authors are responsible for the functionality or their plugins, and accordingly any issues relating to plugins should be raised with the respective author.
To shield your web server further, you may investigate Web Application Firewalls (WAFs) and related technologies as part of a more general security policy. WAFs use behavioural rules at the web server layer that may be tweaked to restrict the type or nature of actions that may be performed when interacting with your websites, whether they run on Textpattern or other platforms. Two well-known WAFs are ModSecurity for the Apache web server and Naxsi for Nginx. The suitability, deployment and maintenance of a WAF or similar is left as an exercise for the reader. If you have concerns about your web server security at a more general level, please contact your webmaster or hosting organisation directly.
Reporting security issues
If you wish to report a security vulnerability or potential exploit in Textpattern, or are unsure whether your security issue falls within the above points, please submit a security report as detailed on the contact page. Thank you!
