HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Security problem in version 8 pre-releases

Security problem in version 8 pre-releases Users of the ocPortal version 8 pre-releases, up to the latest RC4 release may be affected by a security vulnerability.

This affects users who:
  • Use OCF (the inbuilt forum)
  • Do not have the optional activities addon installed (if you don't know what this is, you don't have it)

The security vulnerability is as follows…

The 'Posts' tab on member profiles does not filter by permissions. Therefore anyone with permission to view your profile can see whatever posts you've made.

This may be of great concern if you have private staff forums.

A fix for this is below (upload this replacement file):
Attachment
sources/hooks/systems/profiles_tabs/posts.php
» Download: posts.php (4 Kb, 3198 downloads so far)


The vulnerability has only just been noticed because most testers have been installing the activities addon, which removes the posts tab in favour of an all-encompassing activities tab, which does check permissions.

View all

Trackbacks

There have been no trackbacks yet

Edited