Important Security Patch available for Mura CMS - Update Now!
We just learned about a significant security vulnerability in Mura CMS, and have released a patch that eliminates the problem. It's important that everyone update their Mura installations ASAP to avoid a potential compromise.
The vulnerability could lead to a remote hack that enables upload of malicious files to the server. As far as we know, your site is only vulnerable if you have "Enable Public Registrations" (Site Settings => Extranet => Allow Public Site Registration) turned on. You are not at risk from this vulnerability if this setting is not enabled.
However, if you do have this setting enabled, or you simply are running an older version of Mura CMS, as always, we recommend that everyone update their Mura CMS site to the latest release.
In order to immediately secure your server, and prevent problems, the fastest and best thing to do is to manually update a single file on your Mura installation(s).
- For Mura CMS 6.1, please download this file, and use it to replace the current file on your server:
blueriver/MuraCMS/master/ requirements/mura/Handler/ standardEventsHandler.cfc
- For Mura CMS 6.0, please download this file, and use it to replace the current file on your server:
blueriver/MuraCMS/6.0/ requirements/mura/Handler/ standardEventsHandler.cfc
- For Mura CMS 5.X, please download this file, and use it to replace the current file on your server:
blueriver/MuraCMS/5.x/ requirements/mura/Handler/ standardEventsHandler.cfc. NOTE: Older installations of Mura CMS (5.2-5.5) should be upgraded to 5.6 if at all possible prior to adding this patch.
After manually updating you will need to reload Mura in order for the new file to be loaded.
You can also use the auto-updater to patch your server, but as always, be sure to back up your files and database beforehand. It's probably best to update your server manually, and then perform an auto-update when you're fully prepared. You should also check all your Mura sites to confirm that the "Enable Public Registrations" setting is NOT enabled unless you need it for your site (see image below).
We're disappointed in the security researcher that publicly released information about this vulnerability without contacting us directly, but our response time (patch available in just a couple hours) shows how seriously we take web security.