Blog

Mura CMS XSS Vulnerability Fix

Some XSS vulnerabilities were recently uncovered in Mura CMS that pose a medium level security risk. The vulnerabilities have been fixed as of version 5.1.967 that we just posted. 

If you have a recent download of Mura and have not made any changes directly to the default display objects you may be able to simply go your site's settings form and click the "Update Site Files to Latest Version" link. We strongly recommend backing up your site's siteID directory prior to doing so.

For everyone else you can either download the updated files directly from the repository or just make some quick adjustments to the files listed below.

DSP_LOGIN

Replacement File

/default/includes/display_objects/dsp_login.cfm

Manual Update

In both the "Login" (line 80) form and "Send Login"  (line 104) forms replace:

<input type="hidden" name="linkServID" value="#request.linkServID#" /><input type="hidden" name="returnURL" value="#request.returnURL#" />

With

<input type="hidden" name="linkServID" value="#HTMLEditFormat(request.linkServID)#" /><input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />


DSP_EDIT_PROFILE

Replacement File

/default/includes/display_objects/dsp_edit_profile.cfm

Manual Update

On line 214 replace:

<input type="hidden" name="returnURL" value="#request.returnURL#" />

With

<input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />


SEND TO FRIEND

Replacement File

/default/includes/display_objects/sendtofriend/index.cfm

Manual Update

On line 68 replace:

<input type="hidden" name="link" value="#url.link#">

With

<input type="hidden" name="link" value="#HTMLEditFormat(url.link)#">

And on line 83 replace:

<input type="hidden" name="siteID" value="#request.siteID#">

With

<input type="hidden" name="siteID" value="#HTMLEditFormat(request.siteID)#">


DSP_COMMENTS

Replacement File

/default/includes/display_objects/dsp_comments.cfm

Manual Update

On line 200 Replace:

href="javascript:noSpam('#listFirst(rsComments.email,'@')#','#listlast(rsComments.email,'@')#')"

With

href="javascript:noSpam('#listFirst(htmlEditFormat(rsComments.email),'@')#','#listlast(HTMLEditFormat(rsComments.email),'@')#')"