ImpressCMS (www.impresscms.org) has released an updated version of their content management system to provide a more secure environment for the sites built on their platform. The default settings allowed anonymous access to the image upload folders. This could happen even if you do not enable the WYSIWYG (what you see is what you get) editors for any group.
It is strongly recommended you take action to reduce the risk of your sites being compromised.
Several bugs have been fixed as well as security enhancement based on Aung Khant's report.
Please be aware that the bugfix is not complete and 2.5 series will be following small but frequent release rule so that users can take advantage of quick fixes.
There also have been some security reports about the XOOPS 2.5.x series, but the developers have assured the community they are properly addressed.
The latest update to the PHP (Hypertext Prepocessor) programming language has recently been released, without a corresponding update to the older version. The PHP team (www.php.net) has released PHP 5.3.6 without any corresponding updates to the 5.2 series of PHP, indicating it truly has ended support of 5.2. If you are managing your own web server, you are strongly urged to move to the 5.3 release of PHP. If you maintain a website that uses PHP, as most content management systems do, we recommend you make sure your web platform will run on PHP 5.3, as Internet service providers are likely to be upgrading PHP on their servers.
In a quick turnaround, the ImpressCMS Project published a new release today in response to a vulnerability report racing around the Twitter-verse. They also closed an authorization gap in the plugin used by the TinyMCE editor that connected it to the image manager of ImpressCMS.
A few of the improvements already in the upcoming version of ImpressCMS were also back-ported to this release, making for a much more polished product for your web sites.
The ImpressCMS Team is proud to present the final release of ImpressCMS 1.2.3. With this release, PHP 5.3 support has been added to the system core and there have been a few bug fixes and a security patch added.
Since the initial release of ImpressCMS 1.2, PHP 5.3 support has steadily gained ground in hosting solutions. Based upon user feedback, the ImpressCMS team decided not to wait for ImpressCMS 1.3 in order to support PHP 5.3 officially. No new functionality has been added in this release, but it is highly recommended you upgrade to this version.
An updated version of ImpressCMS 1.2 was released to address a vulnerability in TidyCSS, 1 of the external libraries included in ImpressCMS. If you are using any of the 1.2 series for your site, you are urged to upgrade to 1.2.2 immediately. You can also remove the vulnerable file manually, since it is not used by ImpressCMS
The ImpressCMS development team has released ImpressCMS 1.1.3, a security update for their 1.1 version. The vulnerabilities were not in their core code, but in 2 of the 3rd party libraries used and distributed with their core - Smarty and PHPOpenID. If your site is running on a version prior to 1.1.3, it is strongly recommended you upgrade to the latest version.
Both XOOPS and ImpressCMS have released updates to address the recently disclosed security flaw. The National Vulnerability Database and SecurityFocus both reported details of a security flaw that affected both CMS platforms.
XOOPS has released version 184.108.40.206 RC and ImpressCMS has released version 1.0.2.RC
It is highly recommended you upgrade to the most recent version of either XOOPS or ImpressCMS to better secure your web site.
A security vulnerability affecting both XOOPS and ImpressCMS has been reported at the National Vulnerability Database and SecurityFocus. A fix for this has been posted at ImpressCMS. It is highly recommended you patch your sites to prevent exploitation of this vulnerability.