In the last few weeks two security research organisations have discovered some security holes and detailed them to us. They gave us a reasonable period of time to fix the problems, hence this release prior to the wider public disclosure of the vulnerabilities.
Action requiredWe recommend users upgrade to 7.1.6, which will resolve all these issues at once, and also update on a number of other compatibility issues that have recently come up (PHP 5.4, PayPal changes, Google Chrome bug).
Vulnerabilities have been found in:
- The code editor and config editor
- The catalogues system
- The core system, how redirects are handled (two different attack patterns)
If users are on a heavily customised version and cannot upgrade to a new patch release, changes may be made manually. A patch is attached illustrating the changes. Users who need to update manually and don't have experience with patch files should open a support ticket.
Future policyWe have had a policy of not identifying vulnerabilities in ocPortal to this point, to avoid alerting hackers where they might concentrate attention. Rather, we have promptly released a new version whenever any issue has been found and recommended people upgrade to it.
The problem with this approach is that if people don't know of a security hole they may decide not to follow our upgrading advice and fall behind.
This has not really been a problem up to this point as vulnerabilities have only been found very rarely (about one every two years).
Now that ocPortal is under some increased scrutiny, we'll be changing our policy going forward.
The new policy will be that we will give some general upfront advice if an ocPortal vulnerability has been found, via our newsletter and site news. Within this advice we will give a time when a security update will be released. This way, hackers don't have much chance to target a site before it is upgraded, because the site owner is able to schedule their site update in advance, so it happens very close to the security update being released (update released = update available for hacker study).
We carried out this policy today, although only with a few hours notice. In the future, one or two weeks notice will be more usual.