Build 437

Changelog Note 437

A serious vulnerability has been identified in the back-end area that has been addressed in Build 437. We strongly recommend performing an update to this version.

API Changes

  • Added dot notation support to extendClassWith() method
  • Added attachOnUpload property to the FileUpload FormWidget to attach the file directly to the parent record as soon as the upload completes instead of waiting for deferred binding to attach the file
  • Added cache.codeParserDataCacheKey configuration item to prevent issues when running multiple OctoberCMS instances attached to the same cache server

Bug Fixes

  • Fixed infinite loop that could be triggered in the AuthManager
  • Improved the SectionParser logic, fixing a bug with Markdown headers
  • Improved PHP 7.2 support

Security Improvements

  • Prevent template files from being loaded outside of the application root
  • Prevent invalid folders from being created in the Media Library

Translation Improvements

  • Improved Polish translation
  • Improved German translation

Important Security Fix

These security issues affect all websites running October CMS Build 436 and earlier where the back-end URL is known and exposed to everyone. There are two issues fixed by this build:

  • A user is able to execute PHP files stored on the server without authentication via the back-end.
  • A back-end user is able to store XSS and potentially take control of another admin's account.

If you are running Build 436 or less, perform a system update and ensure you are running Build 437 or above.

Using the back-end interface

Navigate to Settings > Updates & Plugins and select Check for updates, follow the update process to complete the upgrade.

Using the command line interface

Using the CLI run the following command:

php artisan october:update

Or if you are using composer:

composer update

Manual patch

If you are unable to perform an update for any reason, you may patch the following files manually by referencing this commit on GitHub.

  • modules/backend/classes/Controller.php
  • modules/system/classes/MediaLibrary.php
  • modules/system/traits/ViewMaker.php


These vulnerabilities were first reported to the team on June 21st 2018 by Elar Lang and Andres Liiver from Clarified Security.

comments powered by Disqus