Blog
ExpressionEngine 1.6.8: The Security Hole and EllisLab’s Response
July 23, 2009
So, EllisLab just released an update to ExpressionEngine, bringing it to version 1.6.8.
There is a major reason you should update to 1.6.8: there’s a security hole in 1.6.7. It’s not an out-of-the-box security hole, but it’s still a very significant one, and it’s one that many of our existing clients are exposed to. How do we know? Because our programmer, Justin, found it and we brought it to EllisLab’s attention.
Now, I’ve said before that one of the biggest reasons we use and recommend Expression Engine is because of their security record. Does that still hold true even in light of the problem in 1.6.7? Actually, yes, more than ever. We reported our discovery to EllisLab by email just three days ago, on Monday at 5:30 p.m. There was a patched version of the file in my inbox on Tuesday at 8:30 a.m. Seriously: when do these people sleep?
On Tuesday, together with EllisLab, we expanded the scope of the testing, and reported some smaller edge cases that still needed to be dealt with. By the end of Tuesday, EllisLab had caught all the interactions relating to this hole and gave us a final patch.
I was then expecting that there would be a new build of EE in a week or two; and was even wondering how I might deal with the situation if EllisLab was slow to patch given how much else they had going on right now, and given that this wasn’t a known exploit. I now know I had nothing to worry about. Not only didn’t we have to wait a week, by Thursday morning there was a new point release, not just a build release—well, I know the EllisLab folks aren’t the ones to pat themselves on the back, so let me be the one to do so: Leslie and Derek, you guys are fast, smart and professional, and to anyone else involved in the release, I’m astounded by your responsiveness.
So if you’re wondering: does EE have a perfect safety record? Nope. Neither does any software I can think of. However, I can say that my belief in EE as the most secure CMS out there is further cemented by this recent experience. EllisLab took the problem seriously and dealt with it efficiently and appropriately.
Posted by Travis Smith
at 2:17 PM
Comments
I can attest to what Travis wrote. I reported a persistent cross-site scripting issue [1] to EE earlier this year. As you can see from the time line they responded with diligence.
A lot of people complain when software has a large number of vulnerabilities, sure that’s one metric. We have to remember that software will never be perfect and 100% vulnerability free. How a company responds and fixes issues says a lot about them. Expression Engine excels at taking care of security issues.
By Adam Baldwin on Jul 23, 2009
Thanks for letting us know about latest ExpressionEngine 1.6.8 and loopholes in 1.6.7. The information provided would be really beneficial for all of us.
Thank you.
David Moore
Technical Support Head
Recovery Bull Software
By David Moore from USA on Aug 18, 2009
It includes an important security update many thanks to Travis and Justin from HopStudios for discovering and reporting the issue.A large number of changes were needed to make ExpressionEngine compatible with PHP version 5.3.0
We have added a bridge for add-on developers to narrow the gap between developing add-ons for 1.x and 2.x..
By Search engine Optimization company in india on Aug 31, 2009
I tried the Expression Engine (freely-downloadable Core edition) CMS. I didn?t much care for it; though it might be useful if you want to store many different (complete) HTML pages in a database and have an interface to edit them with. That?s not however exactly what I think a ?content management system? should be; that?s more of a markup management system.
I just didn?t find the system inspiring; as a user, it?s hard to pinpoint why, specifically, beyond saying that the administrative interface seemed unintuitive. As a developer and systems administrator I was also pretty disturbed when I looked at the source of the installation script: 4168 lines of PHP, nearly all global-scope code, with MySQL queries, HTML, and CSS interspersed along the way.
Thanks.
By Ilumina? on Nov 5, 2009
Where can we get the latest version of EE?
Secrets Silversands Reservations
By Judith from United States on Dec 3, 2009
I heard that ExpressionEngine 2.1 will be considered the full release and be a free upgrade from ExpressionEngine 2.0 PB. Is this true?
By RevAbs from United States on Dec 8, 2009
I think that’s true. I’ve read it somewhere. I just can’t remember which site it was.
By Handyman London from United Kingdom on Dec 9, 2009
I’m not that confident with ExpressionEngine 1.6.8. I’m still using the older version.
By pallet delivery from United States on Dec 26, 2009
ExpressionEngine 1.6.8 includes an important security update and a large number of changes were needed to make ExpressionEngine compatible with PHP version 5.3.0
By Safety Training from United States on Dec 29, 2009
A large number of changes were needed to make ExpressionEngine compatible with PHP version 5.3.0
By newsletter printing services from United States on Jan 15, 2010
Currently Expression Engine 2.0.1 is launched recently. Anyone have tried?
By typo3 templates on Feb 2, 2010
Thanks for sharing this post
By insanity from usa on Feb 6, 2010
I had not upgraded my joomla site and it got hacked into. I never backed up any of my stuff so I was totally screwed!
By Paul the Handyman from USA on Feb 21, 2010
I guess most of the web developers are already aware of that by now, based on this information even those who didn’t use ExpressionEngine may have a good idea about the cms. Thanks for keeping us informed!
By outrank.com reviews on May 5, 2010
You guys do a great job of keeping us informed. That’s why I keep coming back. Thanks for staying diligent.
By Tony on Dec 21, 2010
I was impressed by the well-designed UI and the flexibility of EE’s templating engine. There are definitely lessons the Drupal community can learn from their attention to detail. In fact, as I explored the EE support forums, I discovered a great deal of antagonism towards Drupal—to my surprise, it wasn’t based on features or learning curve, but on the idea that Drupal is insecure.
By seo on May 2, 2011
Tweet
- The Top 6 Gotchas When Upgrading ExpressionEngine
April 30, 2012 - Hop Studios on a Short Holiday
April 5, 2012 - One Way to Improve EE’s Performance
March 19, 2012 - Upgrading from ExpressionEngine 1.x to 2.x
February 10, 2012 - Rose’s Heavenly Cakes, One of the First Kindle eBooks to Have Interactive Media
February 9, 2012 - ExpressionEngine: Total Guests and Most Visitors
January 31, 2012 - Book Now!
January 30, 2012 - Innovation for a Stanford Journal
January 3, 2012
RSS Feed
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- August 2011
- June 2011
- April 2011
- February 2011
- January 2011
- September 2010
- August 2010
- July 2010
- May 2010
- April 2010
- March 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- December 2006
- November 2006
- October 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
| 604.408.5722 |
| 604.357.5001 |
