Plugins, Addons and Templates from 3-magi.net

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 12522
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Plugins, Addons and Templates from 3-magi.net

Post by cmb » Mon Jun 30, 2014 12:00 pm

Hello Community,

[A German translation is available.]

I have to confirm the security warning of Gert Ebersbach regarding Plugins, Addons and Templates from 3-magi.net, that some of my latest plugins (beta versions) allow to access the plugin adminstration without authentication, when used in CMSimple (all versions) and CMSimple_XH < 1.5.4.

Of course, I will make updates available as soon as possible, which will fix this issue. I've hade emailed Gert asking for details on how to best deal with the issue, but he didn't answer to me directly. Obviously, he does not want that I write plugins for CMSimple. So all my future releases will work solely in CMSimple_XH. Even if all my existing plugins explicitely state that they require CMSimple_XH (and the minimum version), I will do my best to check for unsupported versions and variants of CMSimple, and let the plugin act appropriately.

I recommend to immediately uninstall my plugins from systems which do not fulfill the plugin requirements as stated in the manual (aka. help files). There will be neither bugfix releases nor security patches from me, which allow you to run the plugins under unsupported systems.

Another option is to upgrade to a supported version of CMSimple_XH.

Sorry for the inconvenience,
Christoph
http://3-magi.net/
Last edited by cmb on Mon Jun 30, 2014 3:39 pm, edited 1 time in total.
Reason: added link to German translation
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

mikey
Site Admin
Posts: 345
Joined: Tue May 27, 2008 3:15 am
Location: Sydney Australia
Contact:

Re: Plugins, Addons and Templates from 3-magi.net

Post by mikey » Mon Jun 30, 2014 1:13 pm

great to see you are on top of it matey :)

the trust is always with XH coders to bring cmsimple to where it is now

can i just confirm something, did gert's forum show this, without advising XH developers ?

svasti
Posts: 1650
Joined: Wed Dec 17, 2008 5:08 pm
Location: Bielefeld, Germany
Contact:

Re: Plugins, Addons and Templates from 3-magi.net

Post by svasti » Mon Jun 30, 2014 1:24 pm

There are plugins
  1. that are supposed to work on both XH and CMSimple 4.x
  2. that are supposed to work only on XH
  3. that are supposed to work only on CMSImple4.x
If a plugin nr 2 or 3 is installed on the wrong system, unwanted problems occur. It would be better if the plugins find out right away if they are on the wrong system and give out a warning.

Plugins nr 3 could check, on which system they are and adjust some internal processes so that they function correctly with the system.

A marker would be helpful, as neither XH nor Gert's version look like going to disappear in the near future, and a name change of CMSimple_XH seems most unlikely. Rather, it looks like the present situation may continue for some time to come :roll:

What about

Code: Select all

$cms = defined('CMSIMPLE_VERSION')
? 'CMSimple 4.x detected'
: 'CMSimple_XH detected'; 

cmb
Posts: 12522
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Plugins, Addons and Templates from 3-magi.net

Post by cmb » Mon Jun 30, 2014 1:55 pm

mikey wrote:can i just confirm something, did gert's forum show this, without advising XH developers ?
At least, Gert didn't advise me.
svasti wrote:A marker would be helpful, as neither XH nor Gert's version look like going to disappear in the near future, and a name change of CMSimple_XH seems most unlikely.
Even if one of the names would change to something completely different, that wouldn't solve the issue per se. So a marker would indeed be helpful. I'm not even against introducing another marker to CMSimple_XH (even though there are already CMSIMPLE_XH_VERSION et. al.). Of course, a plugin could check itself for e.g. defined(CMSIMPLE_VERSION), but is there any guarantee that this won't change? And besides, that would not solve the issue for classic CMSimple and CMSimple classic, which still is in use.

Regarding plugin nr 2, I think it is best to do the following check:

Code: Select all

defined(CMSIMPLE_XH_VERSION) && strpos(CMSIMPLE_XH_VERSION, 'CMSimple_XH') === 0
(plus an additional check with version_compare(), if necessary)
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

svasti
Posts: 1650
Joined: Wed Dec 17, 2008 5:08 pm
Location: Bielefeld, Germany
Contact:

Re: Plugins, Addons and Templates from 3-magi.net

Post by svasti » Mon Jun 30, 2014 4:21 pm

I just looked at Gert's code, which has:

Code: Select all

// version-informations
define('CMSIMPLE_XH_VERSION', 'CMSimple 4.4.3'); //for compatibility CMSimple_XH
define('CMSIMPLE_XH_BUILD', 2014060801); //for compatibility CMSimple_XH
define('CMSIMPLE_XH_DATE', '2014-06-08'); //for compatibility CMSimple_XH

define('CMSIMPLE_VERSION', 'CMSimple 4.4.3');
I understand that he has CMSIMPLE_XH_VERSION, because he starts out with XH 1.5.3, but then he should rather stay with the original:

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.5.3');
define('CMSIMPLE_XH_BUILD', 2012031901);
define('CMSIMPLE_XH_DATE', '2012-03-19');

Now XH has

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.6.2');
define('CMSIMPLE_XH_BUILD', '2014052201');
define('CMSIMPLE_XH_DATE', '2014-05-22');
So it should be possible for a plugin to determine if XH is used.

cmb
Posts: 12522
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Plugins, Addons and Templates from 3-magi.net

Post by cmb » Mon Jun 30, 2014 4:58 pm

svasti wrote:I understand that he has CMSIMPLE_XH_VERSION, because he starts out with XH 1.5.3, but then he should rather stay with the original:

Code: Select all

define('CMSIMPLE_XH_VERSION', 'CMSimple_XH 1.5.3');
define('CMSIMPLE_XH_BUILD', 2012031901);
define('CMSIMPLE_XH_DATE', '2012-03-19');
+ 1
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply