Lanius CMS v0.5.2 release update (critical security fix)

Lanius CMS v0.5.2 release update

Users of Lanius CMS v0.5.2 r1041/r1050/r1094 must upgrade to v0.5.2 r1126 by using this revision patch; this patch can also be installed via the Install Patch feature, otherwise simply copy the extracted files over the destination Lanius CMS installation (note: this patch is not necessary for the currently released v0.5.2).

Critical security bugfix

This patch addresses a critical security vulnerability in the upload feature of all Drake CMS >= v0.4.6 and Lanius CMS <= v0.5.2 r1050. You are strongly invited to apply the patch.

The bug allows an attacker to upload a custom script which could then be executed (on most environments). Lanius CMS v0.5.2 r1094 corrects the bug.

Many thanks to EgiX for discovering this bug and kindly reporting it to the Lanius CMS Team.

All users of previous versions of Lanius CMS are invited to upgrade in order to fix this security issue. The current Lanius CMS v0.5.2 installation package does not need to be patched.

Manual patch

If you want to apply a quick containment patch to v0.5.2 <= r1050 (revision 1050 and previous), edit includes/upload.php and modify line 66 this way:

    $thy_name = basename($_FILES[$elem]['name']);

Please apply the revision patch anyway as soon as possible.

Other fixes

• fixed bug in image selection using FCKEditor
• fixed bug about comments being searched even if not published
• fixed crash when accessing weblink category in frontend
• fixed crash when no categories are available in admin backend
• fixed XMLRPC enable/disable code
• less log lines for unauthorized forum profile views
• fixed crash when entering frontpage manager when there are archived items
• restored top toolbar in admin backend pages
• fixed missing editor drabots activation in backend content editor
• fixed hashcash headers generation
• editor drabots also actived for body text
• increased forum maximum wrapping limit