Lanius CMS v0.5.2 release update (security fix)

Lanius CMS v0.5.2 release update (security fix)

Users of Lanius CMS v0.5.2 v0.5.2 r1041/r1050/r1094/r1126/r1249/r1277/r1475/r1660 must upgrade to v0.5.2 r1668 by using this revision patch; this patch can also be installed via the Install Patch feature, otherwise simply copy the extracted files over the destination Lanius CMS installation (note: this patch is not necessary for the currently released v0.5.2).

Medium risk vulnerability fixed

This patch addresses a medium risk vulnerability which affects all Drake CMS and all Lanius CMS previous to v0.5.2 r1668. You are strongly invited to apply the patch.

Vulnerability affects only installations where the wrapper drabot is enabled; an attacker can add wrapper syntax inside a content item which might not be recognized by the reviewer, thus be published directly. This is because a reviewer might not examine the XHTML source to spot such wrapper drabot inclusions, or even not know about how the wrapper drabot works.

Lanius CMS v0.5.2 r1668 fixes the vulnerability by removing the wrapper syntax when the content item is saved (if the user is not a manager/administrator).

All users of previous versions of Lanius CMS are invited to upgrade in order to fix this security issue. The current Lanius CMS v0.5.2 r1668 installation package does not need to be patched

Vulnerability containment

If you want to quickly contain the vulnerability disable the drabot wrapper; also all submitted content should be searched for previously added drabot wrapper syntax which malicious users could have added in submitted content items.

Updating from Lanius CMS v0.5.2 r1475

A bug (issue 776) affecting only this version will prevent you to install the patch through file upload. Please extract the revision patch contents into the Lanius CMS website or use the local/remote installation features.