Build 437 - Important security fix affecting back-end area

Release Note 10

A serious vulnerability has been identified in the back-end area that has been addressed in Build 437. We strongly recommend performing an update to this version.

These security issues affect all websites running October CMS Build 436 and earlier where the back-end URL is known and exposed to everyone. There are two issues fixed by this build:

  • A user is able to execute PHP files stored on the server without authentication via the back-end.
  • A back-end user is able to store XSS and potentially take control of another admin's account.

If you are running Build 436 or less, perform a system update and ensure you are running Build 437 or above.

Using the back-end interface

Navigate to Settings > Updates & Plugins and select Check for updates, follow the update process to complete the upgrade.

Using the command line interface

Using the CLI run the following command:

php artisan october:update

Or if you are using composer:

composer update

Manual patch

If you are unable to perform an update for any reason, you may patch the following files manually by referencing this commit on GitHub.

  • modules/backend/classes/Controller.php
  • modules/system/classes/MediaLibrary.php
  • modules/system/traits/ViewMaker.php

Credit

These vulnerabilities were first reported to the team on June 21st 2018 by Elar Lang and Andres Liiver from Clarified Security.

comments powered by Disqus