HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Security patch for XSS vulnerability

Security patch for XSS vulnerability An XSS security hole has been found in ocPortal and reported to us yesterday. Additionally there are 2 very similar flaws that additional testing has found.

This hole allows a hacker to potentially interfere with your website by guiding a logged in administrator to a malicious URL.

It is important to apply the attached security patch as soon as possible. This patch is compatible with ocPortal 9 sites. The attached zip contains 3 altered template files, to be uploaded to the themes/default/templates directory.
» Download: (1.63 Kb, 117 downloads so far)

ocPortal's normal session security will block the most dangerous kinds of attack.

If you have ModSecurity on your server you are also unlikely to be affected.

To prevent this class of XSS vulnerability referring our automated testing tools have been updated. This is how we found the 2 related vulnerabilities in this patch.

Additionally for our next version (v10) we have now implemented a self-updating software firewall so we can automatically roll-out live mitigations for this kind of issue.

Credit for the vulnerability goes to Arjun Basnet from Cyber Security Works Pvt Ltd (Welcome to Cyber Security Works). We appreciate the time taken to find this issue and report it to us.

View all


There have been no trackbacks yet