SocialEngine Blog

SocialEngine is the best way to create a unique community website. Let your friends, fans or customers geek out about anything you want.

Important Security Patch

A security exploit was discovered today affecting both the SocialEngine Core (up to version 4.1.2p1) and the Forum plugin (up to version 4.1.2). The exploit allows a registered user to delete content that doesn’t belong to them. While this won’t threaten the integrity of your server or even your SocialEngine installation itself, it does pose a risk to the content added by your own users.

Anyone using these versions on their current installations should upgrade immediately.

To upgrade the Forum plugin, please login to the client area, download the latest version of the Forum plugin (version 4.1.2p1), and follow the package installation instructions.

To solve the exploit in the SocialEngine Core, you can download the patch here. Follow the package installation instructions to perform the upgrade. If you would prefer to apply the fix directly to your site, simply open /application/modules/Authorization/Controller/Action/Helper/RequireAuth.php to line 61. You should see the following:

public function setAuthParams($resource = null, $role = null, $action = null)
  {

Change it to:

public function setAuthParams($resource = null, $role = null, $action = null)
  {
$this->clearAuthParams();

We sincerely apologize for the inconvenience. We take security issues VERY seriously and dedicated 100% of our technical staff to get this fix out right away. If you have any questions, please don’t hesitate to contact us or post a comment here.

Update: It has come to our attention that if you have the Events plugin and apply the fix above, an error occurs on the My Events page. To solve this issue, open /application/modules/Event/controllers/IndexController.php to line 125 and change

if( !$this->_helper->requireAuth()->setAuthParams(null, null, 'edit')->isValid() ) return;

to

if( !$this->_helper->requireAuth()->setAuthParams('event', null, 'edit')->isValid() ) return;

This fix will be included in the version 4.1.3 release this Wednesday

27 Comments

  1. Posted March 12, 2011 at 12:19 am | Permalink

    Nice. Kudos for the quick action guys :)

  2. Ed Winston
    Posted March 12, 2011 at 12:51 am | Permalink

    Presumably 3.x is not affected?

  3. Charlotte
    Posted March 12, 2011 at 12:54 am | Permalink

    @Ed – Yup, you should be fine.

  4. C
    Posted March 12, 2011 at 3:51 am | Permalink

    Forum version 4.1.2p2 is not there when I'm in the Account section. It still says 4.1.2.p1.

  5. James
    Posted March 12, 2011 at 2:51 pm | Permalink

    SocialEngine team has developed into a more mature software company. Just remember your customers are a major part of your development and keep us informed and in the loop in your development process. Kudos to the SocialEngine Team … keep up the good work.

  6. dede
    Posted March 12, 2011 at 3:21 pm | Permalink

    After this fix on Core the "We are sorry…" message appears on " My Events" page

  7. Posted March 12, 2011 at 7:29 pm | Permalink

    how do i know if Hello Dicky dot com is using the most recent updated SE ?

  8. Charlotte
    Posted March 12, 2011 at 7:30 pm | Permalink

    @CP – Sorry about that, it was a typo. Forum v4.1.2p1 is the fixed version.

  9. Charlotte
    Posted March 12, 2011 at 7:31 pm | Permalink

    @Brian – Go into your package manager and check the version of the core module you're running. That will tell you what version of SE you're on.

  10. Felicia
    Posted March 13, 2011 at 2:12 am | Permalink

    Thanks SE

  11. roberto
    Posted March 13, 2011 at 11:08 am | Permalink

    would be great if in the next upgrade you integrate epoch.com payment system and allow the admin to decide how many private message free and paid users can send to other users, how many profiles, photos, videos can view…

    this help us to increase gold member

    thanks

  12. Paul
    Posted March 13, 2011 at 3:16 pm | Permalink

    After this fix on Core the "We are sorry…" message appears on " My Events" page

  13. Charlotte
    Posted March 13, 2011 at 5:59 pm | Permalink

    @Paul – I've updated the blog entry above with the fix for the issue you encountered.

  14. philip
    Posted March 13, 2011 at 8:17 pm | Permalink

    how about the Video Embedding on Blogs / Forum any updates on that ?

  15. Posted March 14, 2011 at 12:47 pm | Permalink

    After upgrading i found this message 'allowed' in a blank page when i put topics on 'Make Sticky'.

  16. Torkild
    Posted March 14, 2011 at 2:19 pm | Permalink

    It is on line 137 in mine,
    A third party plugin must have modified this and updated this file.
    Any idea on who this may be?

  17. Torkild
    Posted March 14, 2011 at 2:38 pm | Permalink

    Line 137 is for version 4.0.5, but file is retained if you upgrade to 4.1.2

  18. Atif
    Posted March 14, 2011 at 8:41 pm | Permalink

    After this patch, log in, go to "my events" and you get this:

    We're sorry! We are currently experiencing some technical issues. Please try again later. Error code: f2f6b6

  19. Charlotte
    Posted March 14, 2011 at 9:02 pm | Permalink

    @Atif – Did you apply the Update in the blog article above?

  20. Wes
    Posted March 15, 2011 at 1:57 am | Permalink

    I am curious….what if I only update the forum plugin but leave the rest alone. Will this be ok? I have so many changes to the SE script that not only will this create another month worth of work but may also create errors like I see below. Please let me know. Thanks.

  21. Charlotte
    Posted March 15, 2011 at 5:57 am | Permalink

    @Wes – I believe you'll need to update the core to at least v4.1.2 to update the forum plugin. You could try doing a diff on the files to see what has changed since your version or refer to the changelog and simply apply the parts that were changed with the patch to your installation.

  22. Michael
    Posted March 15, 2011 at 7:25 pm | Permalink

    I am having problems updating the build to 4.1.2p1. I am getting the error message: An unknown error has occurred. Any ideas?

  23. Adriana
    Posted March 16, 2011 at 9:46 am | Permalink

    I did both updates and now my groups can not be access?
    Any ideas how to fix this! ITS URGENT!
    How can i un-do this.

  24. Wes
    Posted March 16, 2011 at 3:03 pm | Permalink

    @Charlotte – I am at 4.12 – but not the p1 or 2 version that you currently have listed for download. Will this be ok?

    By the way, ever since I switched to 4.12, my site is VERY slow (and I am running a dedicated server). Any recommendations?

  25. israel
    Posted March 16, 2011 at 9:40 pm | Permalink

    Hello am writing because we found to many problems with the registration process in the moment the user has to copy the captcha its to dificult please change it for and easy one
    we understand its important to have it but yours its to dificult and the user wont try more than one or two times

  26. Nick
    Posted March 21, 2011 at 4:11 am | Permalink

    Hello Webligos,

    Thank you for the fix. Will It be included in prior versions?

  27. xxxxx
    Posted March 21, 2011 at 3:52 pm | Permalink

    Hi,

    I am trying to download the SE4 Core upgrade to version 4.1.3 so I can install the other patches but the download isn't working. Is this section of the site down or something? I am able to download the other module patches without any issues.

    Thanks,
    Tom

Post a Comment

You must be logged in to Post a Comment.