Get articles in your inbox!Subscribe

Textpattern CMS 4.4.1 released

Site Index

This site uses affiliate links as a means of monetization.

A new version of Textpattern CMS has been released. Version 4.4.1 takes care of a security vulnerability that was present in previous versions so upgrading is highly recommended.

From the announcement:

All versions prior to TXP 4.4.1 were open to CSRF attacks; pronounced sea-surf. While it’s out of scope in this article to discuss what makes up such an attack, it generally works by tricking a logged-in user into clicking something (e.g. an <img> tag which isn’t an actual image). This link secretly accesses something on the admin side using the current logged-in user’s credentials and performs some action — submits an article, deletes something, whatever. If the user in question is an admin, the potential for damage is high.

To combat this, we now use unique tokens passed in each admin-side form and AJAX request to ensure that the request originated on the admin side from the correct form. Any jiggery pokery results in failure for the attacker and a typically TXPish message.

This release also introduces a new security privilege image.create.trusted which prohibits untrusted users from uploading SWF images to the Images tab.

The full announcement is here:

CMS & Marketing / Textpattern CMS 4.4.1 releasedLast updated on January 5, 2019
Save Your Favorite Articles!
Create an account and save articles

Site Index