Mura CMS XSS Vulnerability Fix
Some XSS vulnerabilities were recently uncovered in Mura CMS that pose a medium level security risk. The vulnerabilities have been fixed as of version 5.1.967 that we just posted.
If you have a recent download of Mura and have not made any changes directly to the default display objects you may be able to simply go your site's settings form and click the "Update Site Files to Latest Version" link. We strongly recommend backing up your site's siteID directory prior to doing so.
For everyone else you can either download the updated files directly from the repository or just make some quick adjustments to the files listed below.
DSP_LOGIN
Replacement File
/default/includes/display_objects/dsp_login.cfm
Manual Update
In both the "Login" (line 80) form and "Send Login" (line 104) forms replace:
<input type="hidden" name="linkServID" value="#request.linkServID#" /> <input type="hidden" name="returnURL" value="#request.returnURL#" />
With
<input type="hidden" name="linkServID" value="#HTMLEditFormat(request.linkServID)#" /> <input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />
DSP_EDIT_PROFILE
Replacement File
/default/includes/display_objects/dsp_edit_profile.cfm
Manual Update
On line 214 replace:
<input type="hidden" name="returnURL" value="#request.returnURL#" />
With
<input type="hidden" name="returnURL" value="#HTMLEditFormat(request.returnURL)#" />
SEND TO FRIEND
Replacement File
/default/includes/display_objects/sendtofriend/index.cfm
Manual Update
On line 68 replace:
<input type="hidden" name="link" value="#url.link#">
With
<input type="hidden" name="link" value="#HTMLEditFormat(url.link)#">
And on line 83 replace:
<input type="hidden" name="siteID" value="#request.siteID#">
With
<input type="hidden" name="siteID" value="#HTMLEditFormat(request.siteID)#">
DSP_COMMENTS
Replacement File
/default/includes/display_objects/dsp_comments.cfm
Manual Update
On line 200 Replace:
href="javascript:noSpam('#listFirst(rsComments.email,'@')#','#listlast(rsComments.email,'@')#')"
With
href="javascript:noSpam('#listFirst(htmlEditFormat(rsComments.email),'@')#','#listlast(HTMLEditFormat(rsComments.email),'@')#')"
Comments
- Steve Withington
FYI, when I use the updater link function, both core and site files update to version 5.1.965 instead of 5.1.967.
- October 30, 2009, 10:12 AM
- Chris Woodson
I tried updating from version 5.1.912 and I get this error: "Invalid expression. [getproductiondata().number]" which occurs in autoUpdater.cfc
- October 30, 2009, 10:18 AM
- Matt Levine
@Steve
I forgot to change the production version to 5.1.967. If yo try it now it will work.
@Chris
What CFML compiler are you using?
- October 30, 2009, 11:07 AM
- Matt Levine
@Chris
Try replacing the "getProductionVersion" method in your current /requirements/mura/autoUpdater/autoUpdater.cfc with this:
<cffunction name="getProductionVersion" output="false">
<cfset var data=getProductionData()>
<cfreturn data.number>
</cffunction>
- October 30, 2009, 11:26 AM
- Matt Levine
You'll need to reload the app before you can test it.
- October 30, 2009, 11:26 AM
- Chris Woodson
I am running OpenBD 1.1 from VivioTech.net
Your fix didn't work. I get that data.number is an invalid expression.
I also just noticed that the core and site version numbers that are below the Admin left nav column have disappeared. This was there before I made the changes you suggested.
I originally downloaded version 5.1.854 and upgraded immediately to 5.1.912. Perhaps I should try installing fresh. I also had errors when adding the Soundings plugin from the App Store.
Thanks for the quick help!
Chris
- October 30, 2009, 11:53 AM
- Matt Levine
So now the question is what's being return in the data? Could you try this:
<cffunction name="getProductionVersion" output="true">
<cfset var data=getProductionData()>
<cfdump var="#data#">
<cfabort>
</cffunction>
- October 30, 2009, 12:21 PM
- Chris Woodson
check your email Matt. I sent over some information. Subject line: "Mura CMS autoUpdater Errors"
- October 30, 2009, 2:09 PM
- Chris
I am running 5.1.879. Is the best way to upgrade still this: http://docs.getmura.com/index.cfm/installation-set-up/upgrading-mura/ or is the auto update available now? I thought I saw that it was somewhere, but I can't remember.
- November 4, 2009, 3:56 PM
- Chris
Nevermind, I found it. I am blind.
- November 4, 2009, 3:57 PM
- Matt Levine
If CF has write access the best way to update the core is to use the auto updater.
For sites it depends If you have put all your customizations in the following files and directories:
[siteid]/includes/contentRenderer.cfc
[siteid]/includes/eventHandler.cfc
[siteid]/includes/servlet.cfc
[siteid]/includes/templates
[siteid]/includes/themes
[siteid]/includes/display_objects/custom
Then you can use the auto updater else I would manually implement the fixes like above.
The core auto updater is on the the main site listing page that you can find when you click the "site settings" link on the top right of the page.
The site updater can be found on the site's settings form.
- November 4, 2009, 4:07 PM