Important security patch released for Newscoop 4.0.x - Newscoop Security Discussions on Sourcefabric Forum

Adam Thomas · Post edited by Adam Thomas at 2013-01-23 05:51:45

This weekend our attention was drawn to a Newscoop vulnerability that affects all 4.0.x users. It is rated ‘critical’ and all users are recommended to patch immediately.

The issue exposes potentially account-compromising database and user information during error reporting on front-end templates.

Without the patch, when front-end controllers fail, errors are presented in the front-end templates via error_error.tpl front-end view, even if APPLICATION_ENV is set to production mode.

This quick failsafe solution should be applied immediately.

How To Fix

Let’s assume your Newscoop directory is /var/www/newscoop. Here are the steps...

1) Download the patch file 0001-CS-4543-Unnecessary-error-reporting-exposed-on-front.patch

2) Make sure the current directory is /var/www/newscoop

$ cd /var/www/newscoop

3) Apply the patch (attached to this post, click on the icon below (looks like a piece of paper!))

$ patch -p1 <
/path/to/0001-CS-4543-Unnecessary-error-reporting-exposed-on-front.patch

The files to be patched are:

application/controller/ErrorController.php
application/views/scripts/error_error.tpl

All Sourcefabric customers are already protected and need to take no action.

If you are unsure of how to apply this fix or whether you affected, please mail security@sourcefabric.org immediately.

Thanks, Adam

robert williams

Hi, and thanks for the info. But (I'm a n00b) download the patch from *where*?? You don't say.
thanks.
Have A Healthy, Prosperous Day!
---rob

Adam Thomas

Hi Robert,

You should see what looks like a piece of paper at the bottom of the post above. That's our forum's odd way of saying 'there's a file attached to this post.' click that icon and the download should begin!

I'll clarify this in the post!

Best, A

robert williams

Hello again, Adam. Thank you for taking the time. Got it !! (missed space at ' < ' ) after a couple of errors, but it seems OK w/no errors now. Will get down to business of learning (trying) this
system right away. My biggest headaches have been with mysql/db configure, install/admin stuff.
As I said, I'm not a coder, and *don't* wish to be. So far, every software I've tried depends heavily
on the user to desire to learn to code/program/compile. IMHO this approach is short-sighted, and loses many, many content producers or would-be journalist. Why? Because it takes away from the person has already spent a lifetime doing: communicating in their native language; not computer code. I have ideas for implementation that I'm confident would help with this, but don't know any programmers to listen to me. We all forget that what we already know takes small, simple steps (take nothing for granted) when explaining or otherwise making available to the uninitiated. In any event, thank you so much for your time. It was a great help!!
Have A Healthy, Prosperous Day!!
----robert

Daniel James

Hi Robert,

If you have trouble downloading the patch, please try this direct link:

http://forum.sourcefabric.org/uploads/FileUpload/4b/13a168767dc032db40466cdc393bd9.patch

The point you make about journalists and coders is a good one - if you have ideas, we're listening :-) Please end me or Adam a direct message, or start a new topic in the Newscoop forums.

Cheers!

Daniel

Adam Thomas

Hi Robert,

Sounds like you are describing #newsbeta, our initiative to get coders and non-coders working together on tools.... http://www.sourcefabric.org/en/community/blog/1265/

Welcome to the community! :)

Best, Adam

Howdy, Stranger!

Categories

Poll

Top Posters