The ImpressCMS development team has released ImpressCMS 1.1.3, a security update for their 1.1 version. The vulnerabilities were not in their core code, but in 2 of the 3rd party libraries used and distributed with their core - Smarty and PHPOpenID. If your site is running on a version prior to 1.1.3, it is strongly recommended you upgrade to the latest version.
Smarty is a template engine, driving the way pages are built and displayed by ImpressCMS. PHPOpenID allows you to use OpenID authentication for logins on an ImpressCMS site.
Security is an important aspect of selecting a web platform and an important task for maintaining your web site.
Some of the security 'best practices' that have made their way into ImpressCMS are
- Creating a trust_path outside the web root (when possible) during installation, making sensitive database credentials inaccessible to a web browser
- Using a 2-part encryption key to protect passwords stored in the database
- Using HTML Purifier to filter input and output and remove malicious and unauthorized code
- Providing a version checker for the core, allowing you to keep your site up-to-date much easier
- Providing multiple methods of password encryption to increases the difficulty of decrypting passwords