Blog

Critical Security Patch For Mura CMS

A critical security flaw has been discovered for all versions of Mura CMS older than version 5.2.2809.  We strongly encourage all Mura CMS administrators to update their Mura CMS core to the latest version. You can do so by following these steps:

1. Login to the Mura admin with an account that has super user rights.

2. Once logged in, click the "Site Settings" Link located in the top right of the Mura CMS admin screens.

3. On the main "Site Settings" page that shows the list all of site currently running in your Mura CMS instance click "Update Core Files to Latest Version".

4. Click "Reload Application" in the Mura CMS admin left module nav.

Updating your Mura CMS to the latest release will fully eliminate this vulnerability.

If you are not able to use the Mura CMS auto-updater or you have an older version of Mura CMS without the updater, you can manually apply the patch in a few easy steps by downloading the applicable files listed below:

Sava 5 Security Patch

Mura 5.1 Security Patch

Mura 5.2 Security Patch

This security vulnerability can expose private information to unauthenticated users, and we strongly advise all Mura CMS users to update to the latest Mura CMS release as soon as possible.

Many thanks to stratsec researchers Rohan Stelling and Steven Seeley for their help in identifying this vulnerability, and for working directly with us to provide the information we needed to fix the issue. stratsec specializes in providing information security consulting and testing services for government and commercial clients. More info about stratsec can be found at their website - www.stratsec.net

Comments

Patrick Desroches

I updated the core and now nothing is working.

I restaure the admin and requirement folder

now the admin work and show version : Core Version 5.2.2831

The front end is not working. I get :

Could not find the ColdFusion Component or Interface mura.event.

September 15, 2010, 8:25 AM
Reply
Flag as Spam
Matt Levine

Edit your root Application.cfc and comment out the include to /config/appcfc/onError_method.cfm

At that point you should see a different error. Can you post your response in the forum.

Thanks,

Matt

September 15, 2010, 9:17 AM
Reply
Flag as Spam
Mike

This is probably as much an issue of working in a shared environment (hosting.com) as anything. But after updating my "fileManager.cfc" file, and then clicking on the "reload the application" link in the left module nav, I get what is basically a timeout error:

Message    SeeFusion terminated request: Page Time at 51089ms >= limit of 50000ms (rule "latentpages")

StackTrace    com.seefusion.SeeFusionKillError: SeeFusion terminated request: Page Time at 51089ms >= limit of 50000ms (rule "latentpages") at com.seefusion.rd.e(rd.java:313) at

etc...

So I may not be able to re-load my site in this environment. But relevant to the security patch, the new "fileManager.cfc" file won't be used if I can't reload the application, right?

September 16, 2010, 2:40 AM
Reply
Flag as Spam
Kamil

After manually replacing fileManager.cfc, I get the following error:

The configuration variable cffm.includeDir does not contain a valid directory on this server.

September 16, 2010, 4:07 AM
Reply
Flag as Spam
Matt Levine

The filemanager.cfc is what Mura uses to manage files that are used in the site manager. It does not have anything to do the file manager tool that super users can access on the let module nav.

The error you are reporting has been reported before, but I have never been able to reproduce it. Can you give more details?

September 16, 2010, 4:14 AM
Reply
Flag as Spam
Kamil

I can provide you with a super admin and ftp access . Please send me an email.

Thanks.

September 16, 2010, 4:31 AM
Reply
Flag as Spam
Matt Levine

@Kamil

Can you send it via our contact form?

September 16, 2010, 6:13 AM
Reply
Flag as Spam
Kamil

@Matt

Just sent.

September 16, 2010, 7:08 AM
Reply
Flag as Spam
Post a Comment

Required Field