Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.

Updated, Fixed Patches Released for V2.3.1, V2.2.3, and V2.1.4

2»

Comments

  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • Is this the traditional File Manager or the new elFinder?
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Thanks! No settings done by us for the File Manager when the error came, so standard as it comes when installing.
  • Actually, I've found the issue and am working on a fix
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
  • I hope to have a new patch out this week...was a result/consequence of the recent patch
  • Actually, I've found the issue and am working on a fix
  • We've fixed a security issue (identified by Mayuresh Dani and Narendra Shinde from qualys.com) in our current release and some of our older versions and now have a patches available to fix this specific issue:
    * Fixes cross-site security issue

    The v2.1.4 patch #6 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.1.4-patch-6.zip/download.
    The v2.2.3 patch #9 download is found at http://sourceforge.net/projects/exponentcms/files/exponent-2.2.3-patch-9.zip/download.

    In addition to this fix, several other fixes are included in patch #1 to v2.3.1 found at http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1-patch-4.zip/download.

    v2.3.1patch4 fixes these issues in v2.3.1:
    * !!! Fixes cross-site security issue
    * Re-introduces old (0.9x) theme compatibility if OLD_THEME_COMPATIBLE constant is set in the theme config.php settings file
    * Fixes issue where IE fixes would be applied since they were loaded before the stylesheets
    * Fixes issue with possible mangled meta tags (due to bad user input)
    * Fixes issue where message queue wasn't always displayed
    * Fixes issue in a dropdown control where both 'blank item' and 'no items' would be listed
    * Fixes shipping/billing calculator upgrade script to run on all upgrades
    * Updates removal of some old libraries left in after ugprade from v2.3.0 to v2.3.1
    * Adds comment to .htaccess file to help with issues running from subfolder
    * Fixes bad refs for .htaccess error documents
    * Fixes some issues saving bootstraptheme/bootstrap3theme theme configuration setting changes
    * Fix display of showlogin view for bootstrap3
    * Fixes bad closing tag on new 'message' smarty function
    * Fixes issue where MOTD item allowed setting of 'any month' was not allowed
    * Fixes expSession to deal with mangled $user session variable
    * Fixes expUtil::browser() method to work w/ php v5.2.1
    * Fix for possible database manager write error reporting 'Invalid CSRF token'
    * More graceful exit from an upgrade if the database is down
    * Fixes styling of DataTables Tabletools for non-bootstrap views
    * Now allows sorting by 'is admin' for manage user view
    * Fixes issue w/ CKEditor (only elFinder support fixed) where image size didn't appear in insert image dialog after file selection, now also transfers 'alt' from file manager

    Therefore, the following patches (which may be available in the wild) are NOT recommended:
    v2.1.4patch3, v2.1.4patch4, and v2.1.4patch5
    v2.2.3patch6, v2.2.3patch7, and v2.2.3patch8
    v2.3.1patch1, v2.3.1patch2, and v2.3.1patch3
Sign In or Register to comment.