New Security Fixes Release 0.6175

by e107 in e107

This new release addresses multiple security exploits as reported by Secunia.

This new release addresses multiple security exploits as reported by Secunia. You should upgrade your 0.6174 site with these new files immediately. All open security exploits on Secunia are patched by this release.

The same fixes have been applied to the .7 cvs tree and so anyone running .7 must also update their site with the latest files from cvs.

Download the update here

Please make sure you have downloaded and installed all patches to 0.617.

Update

The allowed upload file types system has been changed with this release. For security reasons it is no longer stored in the database but is now stored in a flat file in the admin directory. When you upgrade your site you will lose your current allowed file types settings. To restore them, rename the new file e107_admin/filetypes_.php to e107_admin/filetypes.php and add a comma delimited list of allowed file type extensions to it. You should not allow the upload of .html, .txt, etc as an attacker may upload a file of this type which includes malicious javascript. You should also, of course, not allow the upload of .php files or any other type of executable script. Please also check your e107_files/public/ directories and verify that the files there are legitimate.

I know this system change is a pain, but we felt this was the best way to ensure you are properly protected.





This news item is from e107 v2 Bootstrap CMS
https://mail.static.e107.org/blog/769.html