Blog

Mura CMS XSS Vulnerability Fix

Some XSS vulnerabilities were recently uncovered in Mura CMS that pose a medium level security risk. The vulnerabilities have been fixed as of version 5.1.967 that we just posted. 

If you have a recent download of Mura and have not made any changes directly to the default display objects you may be able to simply go your site's settings form and click the "Update Site Files to Latest Version" link. We strongly recommend backing up your site's siteID directory prior to doing so.

For everyone else you can either download the updated files directly from the repository or just make some quick adjustments to the files listed below.

DSP_LOGIN

Replacement File

/default/includes/display_objects/dsp_login.cfm

Manual Update

In both the "Login" (line 80) form and "Send Login"  (line 104) forms replace:

<input type="hidden" name="linkServID" value="#request.linkServID#" /><input type="hidden" name="returnURL" value="#request.returnURL#" />

With

<input type="hidden" name="linkServID" value="#HTMLEditFormat(request.linkServID)#" /><input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />


DSP_EDIT_PROFILE

Replacement File

/default/includes/display_objects/dsp_edit_profile.cfm

Manual Update

On line 214 replace:

<input type="hidden" name="returnURL" value="#request.returnURL#" />

With

<input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />


SEND TO FRIEND

Replacement File

/default/includes/display_objects/sendtofriend/index.cfm

Manual Update

On line 68 replace:

<input type="hidden" name="link" value="#url.link#">

With

<input type="hidden" name="link" value="#HTMLEditFormat(url.link)#">

And on line 83 replace:

<input type="hidden" name="siteID" value="#request.siteID#">

With

<input type="hidden" name="siteID" value="#HTMLEditFormat(request.siteID)#">


DSP_COMMENTS

Replacement File

/default/includes/display_objects/dsp_comments.cfm

Manual Update

On line 200 Replace:

href="javascript:noSpam('#listFirst(rsComments.email,'@')#','#listlast(rsComments.email,'@')#')"

With

href="javascript:noSpam('#listFirst(htmlEditFormat(rsComments.email),'@')#','#listlast(HTMLEditFormat(rsComments.email),'@')#')"

Comments

Steve Withington

FYI, when I use the updater link function, both core and site files update to version 5.1.965 instead of 5.1.967.

October 30, 2009, 3:12 AM
Reply
Flag as Spam
Chris Woodson

I tried updating from version 5.1.912 and I get this error: "Invalid expression. [getproductiondata().number]" which occurs in autoUpdater.cfc

October 30, 2009, 3:18 AM
Reply
Flag as Spam
Matt Levine

@Steve

I forgot to change the production version to 5.1.967. If yo try it now it will work.

@Chris

What CFML compiler are you using?

October 30, 2009, 4:07 AM
Reply
Flag as Spam
Matt Levine

@Chris

Try replacing the "getProductionVersion" method in your current /requirements/mura/autoUpdater/autoUpdater.cfc with this:

<cffunction name="getProductionVersion" output="false">

   <cfset var data=getProductionData()>

   <cfreturn data.number>

</cffunction>

October 30, 2009, 4:26 AM
Reply
Flag as Spam
Matt Levine

You'll need to reload the app before you can test it.

October 30, 2009, 4:26 AM
Reply
Flag as Spam
Chris Woodson

I am running OpenBD 1.1 from VivioTech.net

Your fix didn't work. I get that data.number is an invalid expression.

I also just noticed that the core and site version numbers that are below the Admin left nav column have disappeared. This was there before I made the changes you suggested.

I originally downloaded version 5.1.854 and upgraded immediately to 5.1.912. Perhaps I should try installing fresh. I also had errors when adding the Soundings plugin from the App Store.

Thanks for the quick help!

Chris

October 30, 2009, 4:53 AM
Reply
Flag as Spam
Matt Levine

So now the question is what's being return in the data? Could you try this:

<cffunction name="getProductionVersion" output="true">

<cfset var data=getProductionData()>

<cfdump var="#data#">

<cfabort>

</cffunction>

October 30, 2009, 5:21 AM
Reply
Flag as Spam
Chris Woodson

check your email Matt. I sent over some information. Subject line: "Mura CMS autoUpdater Errors"

October 30, 2009, 7:09 AM
Reply
Flag as Spam
Chris

I am running 5.1.879. Is the best way to upgrade still this: http://docs.getmura.com/index.cfm/installation-set-up/upgrading-mura/ or is the auto update available now? I thought I saw that it was somewhere, but I can't remember.

November 4, 2009, 7:56 AM
Reply
Flag as Spam
Chris

Nevermind, I found it. I am blind.

November 4, 2009, 7:57 AM
Reply
Flag as Spam
Matt Levine

If CF has write access the best way to update the core is to use the auto updater.

For sites it depends If you have put all your customizations in the following files and directories:

[siteid]/includes/contentRenderer.cfc

[siteid]/includes/eventHandler.cfc

[siteid]/includes/servlet.cfc

[siteid]/includes/templates

[siteid]/includes/themes

[siteid]/includes/display_objects/custom

Then you can use the auto updater else I would manually implement the fixes like above.

The core auto updater is on the the main site listing page that you can find when you click the "site settings" link on the top right of the page.

The site updater can be found on the site's settings form.

November 4, 2009, 8:07 AM
Reply
Flag as Spam
Post a Comment

Required Field