TemPlug Templates: Arbitrary Code Execution Vulnerability

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 12663
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

TemPlug Templates: Arbitrary Code Execution Vulnerability

Post by cmb » Tue Apr 09, 2013 2:16 pm

Hello Community,

probably all TemPlug templates suffer an arbitrary code execution vulnerability. I've checked that for tp_3cols_avantgardeXH, but other TemPlug templates are most likely affected as well.

I have PMed Gert 2 weeks ago, but he has not yet replied. I suggest you immediately contact him for a fix. I will not publicly reveal any details, let alone the exploit I've written to confirm this issue. You can contact me by mail or PM for further information.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Gert
Posts: 3053
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by Gert » Tue Apr 09, 2013 2:37 pm

Download new and update the folder "templug/", but without the folder "templug/data/",

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

MiHa
Posts: 13
Joined: Fri Apr 12, 2013 1:44 pm

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by MiHa » Fri Apr 12, 2013 1:46 pm

I don't find a link to the updated Templug.
Where is it?
(1.4 is from january 25th 2012)

Gert
Posts: 3053
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by Gert » Fri Apr 12, 2013 2:01 pm

http://www.ge-webdesign.de/cmsimpletemplates/?TemPlug

You have to update the templates, not the plugin,

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

MiHa
Posts: 13
Joined: Fri Apr 12, 2013 1:44 pm

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by MiHa » Fri Apr 12, 2013 3:06 pm

Gert wrote:http://www.ge-webdesign.de/cmsimpletemplates/?TemPlug
You have to update the templates, not the plugin,
Ah, thank you. I am trying out tp_float_treesXH.zip - but it was not updated (it is from 27 march 2013).

Gert
Posts: 3053
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by Gert » Fri Apr 12, 2013 3:18 pm

MiHa wrote:but it was not updated (it is from 27 march 2013).
It IS updated - I have updated all templates on 27 march 2013,

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

MiHa
Posts: 13
Joined: Fri Apr 12, 2013 1:44 pm

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by MiHa » Fri Apr 12, 2013 5:17 pm

Great news!

I got started on the new CMSimple 4 on or right after march 27, then =)

I was on the old CMSimple a long time ago for a NGO ( www.hemundervisning.org ), and recently needed more - SO happy about the progress you are making!

Gert
Posts: 3053
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: TemPlug Templates: Arbitrary Code Execution Vulnerabilit

Post by Gert » Fri Apr 12, 2013 5:47 pm

MiHa wrote:I got started on the new CMSimple 4 on or right after march 27, then =)
"On" or "right after"? ;)

I have uploaded the new zip files 2 pm in the afternoon, but in case "right after march 27" you have the new template surely,

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

Post Reply