Blog

Important Security Patch available for Mura CMS - Update Now!

We just learned about a significant security vulnerability in Mura CMS, and have released a patch that eliminates the problem. It's important that everyone update their Mura installations ASAP to avoid a potential compromise. 

The vulnerability could lead to a remote hack that enables upload of malicious files to the server. As far as we know, your site is only vulnerable if you have "Enable Public Registrations" (Site Settings => Extranet => Allow Public Site Registration) turned on. You are not at risk from this vulnerability if this setting is not enabled.

However, if you do have this setting enabled, or you simply are running an older version of Mura CMS, as always, we recommend that everyone update their Mura CMS site to the latest release.

In order to immediately secure your server, and prevent problems, the fastest and best thing to do is to manually update a single file on your Mura installation(s). 

After manually updating you will need to reload Mura in order for the new file to be loaded.  

You can also use the auto-updater to patch your server, but as always, be sure to back up your files and database beforehand. It's probably best to update your server manually, and then perform an auto-update when you're fully prepared. You should also check all your Mura sites to confirm that the "Enable Public Registrations" setting is NOT enabled unless you need it for your site (see image below). 

Mura CMS Extranet Settings

We're disappointed in the security researcher that publicly released information about this vulnerability without contacting us directly, but our response time (patch available in just a couple hours) shows how seriously we take web security. 

Comments

Jamie Jackson

Thanks for the quick response.

Please also post if there are any telltale signs of compromise, if known.

January 29, 2014, 7:19 AM
Reply
Flag as Spam
Juan Aguilar

Way to go to the Blue River team in getting this patched so promptly.

January 29, 2014, 9:46 AM
Reply
Flag as Spam
Peter Boughton

Line 536 errors with "Can't cast String [] to a boolean" on Railo.

January 29, 2014, 12:19 PM
Reply
Flag as Spam
Matt levine

Can you post this to the google group and include the Mura version that you are updating.

Also, it's important to note that you can not patch your instance and simply make sure that every site has it's Site Settings => Extranet => Allow Public Site Registration set to false.

https://groups.google.com/forum/#!forum/mura-cms-developers

January 29, 2014, 4:17 PM
Reply
Flag as Spam
Jason Steinshouer

I tried to manually update our 6.0 and 5.6 instances but received an error after reloading. I then did an auto update of the core files and it updated to 6.1. I didn't didn't catch the error but It will try to replicate from my backup so I can post the actual error we received.

January 29, 2014, 1:36 PM
Reply
Flag as Spam
Matt levine

Can you post this to the google group and include the Mura version that you are updating.

Also, it's important to note that you can not patch your instance and simply make sure that every site has it's Site Settings => Extranet => Allow Public Site Registration set to false.

https://groups.google.com/forum/#!forum/mura-cms-developers

January 29, 2014, 4:19 PM
Reply
Flag as Spam
Post a Comment

Required Field