Symphony.

http://twitter.com/#!/securls/status/63407380381179905

Core lead, Brendan was awesome in preemptively catching this December last year. This is no longer an issue in Symphony 2.2 onwards (as stated in the security alert).

See diff commit of content.login.php. Specifically between lines 299 and 300.

Any one still on an older version of Symphony should look at updating to a new version or very least patching content.login.php.

Core lead, Brendan was awesome in preemptively catching this December last year.

Cool. Sorry to rehash it, but I was completely unaware. That's what I get for being MIA for much of last year!

This vulnerability exists also in Symphony 1.x. If you happen to have site(s) running Symphony 1.x, patch symphony/actions/sym_login.php file by adding addslashes (i know it is not the best and cleanest solution, but Symphony 1.x uses addslashes in many places anyway) in two places. First one is around line 42:

$author = $DB->fetchRow(0, "SELECT `id`, `email`, `firstname` FROM `sym_authors` WHERE `email` = '".$_POST['email']."'");

change it to:

$author = $DB->fetchRow(0, "SELECT `id`, `email`, `firstname` FROM `sym_authors` WHERE `email` = '".addslashes($_POST['email'])."'");

Second one is around line 89:

. "WHERE t2.`token` = '".$_REQUEST['_t']."' AND t1.`id` = t2.`author_id` "

change it to:

. "WHERE t2.`token` = '".addslashes($_REQUEST['_t'])."' AND t1.`id` = t2.`author_id` "

Sorry for the dumb question, how would one patch the 2.1.2 install? I have several sites running on 2.1.2, and unfortunately, can't upgrade those others right now to 2.2, but would like to at least patch the problem.

Allen referenced the change above (although I found it a little earlier in the code). Around line 270 you want to change $_REQUEST['token'] so that it resembles

Symphony::Database()->cleanValue($_REQUEST['token'])

This solution will only work in Symphony 2.0.6 and forward.

Was this threat also announced on this website (while currently updating a bunch of old sites...)?

From the 2.1.2 release announcement and release notes:

the release of Symphony 2.1.2, which includes some important security improvements, performance enhancements, and bug fixes

and

Fixes to prevent SQL injection

Just to make sure:

Are both version, Symphony 2.1 and and Symphony 2.2, as they are available on Github and on this site patched? There were two vulnerabilities discovered lately that should be patched already but it has not been announced very prominently anywhere.

Maybe it would be good if someone could post on the blog making clear which versions need updating and where to find the needed downloads. Thanks!

First of: this security issue was present in Symphony 2.1.2, so I guess you are aiming at the the release notes of Symphony 2.2

Second: Not all people read the release notes or merely 'scan them', causing something like this easily to miss.

Third: If I understand correctly, the security threat caused the administrator password to get reset and sent to an evil e-mail address. This seems like a pretty serious threat to me. Especially if something like this was already spotted in December last year, you should expect immediately a warning on this site (blog, forum, anything) to inform that a critical patch is necessary. Use the pink ribbon on top of the site for example (the one you used for the questionnaire lately).

Don't get me wrong. I'm not trying to rant here or anything. I love the work all of you are doing and I enjoy working with Symphony. I also understand it's a bit embarrassing if something like this happens, but it's better to call for immediate action instead of giving it a few words in the release notes of the next release. The damage would be greater if (almost) nobody is aware of a certain vulnerability and the next day Symphony is getting nailed to the cross on a well-respected web developers blog because some hackers crippled 100s of sites in one night (Just go through the showcase, I'm pretty sure the majority of these sites are S2.2+). I think thats something nobody wants.

Regarding the updates:

On our company we run multiple sites of clients on Symphony (25+) and the fact is that if a site is live, you are not going to update all those site each time a new version is out, only patch critical vulnerabilities (like this one).

AFAIK, for S 2.1.2 the new issue is the only one. I am not really sure about 2.2 -- the team will know better.

Like some others, I also think that a security issue like this needs to be addressed much more aggressively. I would expect to get an email and see a big red warning here on the website.

Like some others, I also think that a security issue like this needs to be addressed much more aggressively. I would expect to get an email and see a big red warning here on the website.

Agreed for 100%

These are good points and something we'll aim to handle better in the future. I'm not sure where you draw the line between issuing hotfixes for older versions and just saying that the new version is the fix, but we'll have some discussion in the working groups and come up with a solid policy moving forward.

I'm not sure where you draw the line between issuing hotfixes for older versions and just saying that the new version is the fix

In my opinion, all versions released as a stable release should be patched by hotfixes if an important security hole is discovered.

There will always be people who can not update to a next version because of extensions or manual changes to the core: a hotfix will be ideal for this group.

Available immediately, 2.1.2.1.

The WG is now discussing how we can stay on top of security updates, announce these to the general public and just generally do a better job at dealing with them.

To patch/update a 2.1.2 install, you can simply replace the content.login.php file in symphony/content. (There is no special updater for this hotfix anyway.)

I also updated the version number in my config file, so one can see in the backend that it has been patched.

Anyone know what to do with a Symphony 2 beta r5 site? I've got one I can't really upgrade :-/

How about adding an extra option to the menu next to Issues, called 'patches'. And each time a new security threat has been fixed and a patch is released it shows a notification. Something like this for example:

I'm still not sure what to do with a Symphony 2b r5 site. Anyone know for sure?

I've edited content.login.php to use addslashes as mentioned by @ahwayakchih for Symphony 1x. It seems to have killed the ability to reset the password completely. I guess the vulnerability is gone, which is the important thing, but now resetting passwords will be a chore.

If anyone has a better idea, I'd like to know!

Thanks.

Also, a +1 to making these types of patches more prominent. I didn't know about this until I came across it in the forum. A Tweet, email or blog post would have gotten my attention immediately.

I think this type of thing is bad enough to warrant more communication and a fix for all versions of Symphony since simply upgrading, a lot of times, isn't really an option because of customizations and extensions that aren't ready.

I hope the dev team is working on patches for all affected versions. Maybe they are being quiet until they are done before really making the bug public. That way developers will have something to patch with when they get the news.