Fork me on GitHub

Watch

GitHub Core

Show your support for Zikula! Sign up at Github account and watch the Core project!




GitHub Modules

Forum Activity

Forum feed

» Visit forum | » View latest posts

News

Articles | Security

Articles: Zikula Core 1.3.6 (Security Release)

Contributed by craigh on Nov 07, 2013 - 01:55 AM

Security

Zikula Core 1.3.6 is released as of November 6, 2013. This is strictly a security release for the Core 1.3.x series. All users of Core 1.3.0 - 1.3.5 are recommended to update as soon as possible. This release does not contain any other bug fixes or features over Core 1.3.5.

Installation/Upgrade: (from Core 1.3.5) simply overwrite the files in your current installation with the new files run the upgrade.php routine.

Download:
ZIP package
TGZ package
Checksums

The release that was to be version 1.3.6 has been renamed to 1.3.7 and is yet unreleased. Please adjust your development module dependencies accordingly.

High-Tech Bridge Security Research Lab has discovered a security vulnerability in your product - Zikula Application Framework.

===============================================================

Advisory ID: HTB23178
Reference: https://www.htbridge.com/advisory/HTB23178
Product: Zikula Application Framework
Vendor: Zikula Software Foundation ( http://zikula.org )
Vulnerable Version(s): 1.3.5 build 20 and probably prior
Tested Version: 1.3.5 build 20
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Zikula Application Framework, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

1) Cross-Site Scripting (XSS) in Zikula Application Framework

1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "returnpage" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 

Share    

Comments

Comment by:
Abadia's Avatar
Abadia
07 Nov 2013 - 09:42PM
What files have been modified in ZK 1.3.6 with regard to 1.3.5?
 
Comment by:
Guite's Avatar
Guite
07 Nov 2013 - 09:57PM
You can check this on GitHub: https://github.com/zikula/core/compare/1.3.5...1.3.6
 
Comment by:
Abadia's Avatar
Abadia
07 Nov 2013 - 11:29PM
Thanks Guite!
 
Comment by:
czardogs's Avatar
czardogs
08 Nov 2013 - 02:06AM
1.2.9
1.2.9 requires no changes then?
 
Comment by:
craigh's Avatar
craigh
08 Nov 2013 - 02:35AM
1.2.9 is no longer supported.
 
Comment by:
Guite's Avatar
Guite
08 Nov 2013 - 05:34AM
1.2.9 seems not affected
 
Comment by:
Abadia's Avatar
Abadia
08 Nov 2013 - 11:01AM
If I overwrite the files of my ZK 1.3.5 installation with the new package of ZK 1.3.6, the system shows me this message:

"This site needs to be upgraded, please contact the system administrator."
 
Comment by:
rgasch's Avatar
rgasch
10 Nov 2013 - 09:58AM
Since the changes to this release are minimal, what about providing a patch release/package?
 
Comment by:
Abadia's Avatar
Abadia
11 Nov 2013 - 08:34AM
This article has been edited, isn't it? When I left my last message it didn't explain that you had to run the upgrade.php in order to upgrade from ZK 1.3.5 to 1.3.6 icon_smile
 
Comment by:
cmf's Avatar
cmf
13 Nov 2013 - 04:42AM
> This article has been edited, isn't it? When I left my last message it didn't explain that you had to run the upgrade.php in order to upgrade from ZK 1.3.5 to 1.3.6.

Yes it has been updated :)
 
Comment by:
TakeIT2's Avatar
TakeIT2
16 Nov 2013 - 12:07PM
use of zikula discussions for notice of this release in addition to a posting here
what other ways do people learn of this release? - the usual upgrade notice didn't appear in the admin panel of zk-1.3.5r20

this post was 8 days ago - so much can happen in that amount of time...
 
Comment by:
bartl's Avatar
bartl
16 Nov 2013 - 05:56PM
Any particular reason why it wasn't labeled 1.3.5.1 or 1.3.51?
 
Comment by:
espaan's Avatar
espaan
17 Nov 2013 - 03:31AM
Great
great that the vulnerability is gone, but the version number is not that convenient. A lot of modules have now versions for zikula <= 1.3.5 or >= 1.3.6 in their code. Since 1.3.6 contained some new stuff.

Also MOST uses 136 as a special target instead of 135, but of course that will sort itself out.

But looking at the version number discussions in the past this is a swift decision with some impact icon_smile
 
Comment by:
espaan's Avatar
espaan
17 Nov 2013 - 07:17AM
patch
Hi,
if anybody wants to use a patch file this can be generated from github directly:
https://github.com/zikula/core/compare/1.3.5...1.3.6.patch
 
Comment by:
Teb's Avatar
Teb
18 Nov 2013 - 10:45AM
I have the same question as BartL: Any particular reason why it wasn't labeled 1.3.5.1? AFAIK releasing hotfixes on a released product (using patch-levels, or whatever you want to call them) is quite normal these days in most scm branching models.

Especially for the reason that espaan mentions: this fix now has an not only inconvenient, but unneccesary administrative impact on all developers...
 
Comment by:
rallek's Avatar
rallek
20 Jan 2014 - 12:01AM
another patch available
I have created another patch from 1.3.5 to 1.3.6 plus some usefull other issues.

see here: https://github.com/rallek/1.3.6patch
 
Only logged in users are allowed to comment. register/log in