Blog

Security Issue in ExpressionEngine (pre-1.6.6)

As a Hop Studios client, we keep you informed about security updates that affect the software you use. This one is particularly important, as it concerns ExpressionEngine.  In an nutshell:

  • A small but serious security hole in ExpressionEngine has been discovered.
  • Upgrading to 1.6.6 fixes this.
  • Upgrading takes about an hour for a site with not much customization, and our standard hourly rate is $140.
  • The license fee for the upgraded software is between free and $39.

Please let us know if you want to upgrade, and we will schedule you in; we expect many requests, and we’ll get to you as soon as possible in the order you respond.

Now, the details…

=-=-=

This email assumes you know what version site software you’re using.

In ExpressionEngine, this is the number at the bottom of every page of the control panel.

=-=-=


SECURITY UPDATES (ExpressionEngine)

The latest release of ExpressionEngine, 1.6.6, fixes a security hole. We have not been told exactly what security hole is patched.  The developers say that it is a very minor issue that would only affect display of submitted text on the site, but that there’s is a very small chance that, with interactions with third-party software, it could be “quite serious.” Here is their blog post about it:

http://expressionengine.com/blog/entry/expressionengine_1.6.6_security_update/

The last significant EE security problem was in 1.4.2, about three years ago.  For a software product as large and powerful and widely used as EE, this is a tremendous safety record.  Our confidence in EE is still very high.  But we do recommend very strongly that you upgrade now to 1.6.6, no matter what earlier version of EE you are running.

=-=-=

GENERAL UPDATES (ExpressionEngine)

ExpressionEngine is now at version 1.6.6.  We’ve been hoping for a 2.0 version to be released some time soon, but it has been pushed back several times.  Meanwhile, new features keep showing up in the 1.6 branch, which is very stable and well-supported.

Here’s what’s new since 1.6.1, the last time we emailed you…

  • Overall, in the past year, there are about 210 minor tweaks made and bugs fixed.  That shows a very healthy, living piece of software, though. Some of the glitches are very, very small.

Version 1.6.6

  • We just told you
  • Plus about 16 other small fixes

Version 1.6.5

  • Major overhaul of Auto-XHTML typography. More intelligent, more flexible, and improved performance.
  • Added Global Template Preference for Strict URLs.
  • Added a redirect= global variable.
  • Added content-type header to html page output, as some servers don’t seem to declare the type.
  • Added “jQuery for the Control Panel” extension for developers to add jQuery to the control panel.
  • Increased the column size of search queries so extremely large results are not truncated due to column size.
  • Updated the Magpie plugin to use the latest version of the Snoopy connection library, v1.2.4

Version 1.6.4

  • Added if no_results conditional to Category Heading tag.
  • Added sanitization for a deprecated HTML tag that could be abused in user input in Internet Explorer.
  • Modified SAEF preview to allow for conditionals on custom fields.
  • Modified XSS sanitization to no longer add semicolons after &[single letter], such as in M&M’s, B&B, etc.
  • Modified XSS sanitization to no longer strip XHTML image tags of closing slashes.
  • Improved security and performance of cross-site scripting filter.
  • Modified expired CAPTCHA cleanup to be more performance friendly when experiencing unusually high traffic spikes.
  • Changed the gallery preferences to hide font size when truetype fonts not used and this option is not available.
  • Changed some code in category URL title discovery to work around a bug in PHP 5.0.1.
  • Removed a hardcoded referenced to ‘More News…’ in the CP homepage, and replaced it with a language variable.

Version 1.6.3

  • Increased security with uploaded file names to prevent Apache from overzealously parsing a file as a script.
  • Modified the weblog search so that case insensitivity is forced.

Version 1.6.2

  • Added a Last-Modified header to the output of stylesheet= pages in order to reduce load with 304 Not Modified headers.
  • Added the ability to change the case of Gallery Category names without changing the spelling.
  • Modified Publish page title focus to only occur for new entries.

The full change log is here:
http://expressionengine.com/docs/changelog.html

=-=-=

We hope this helps you understand the necessity for this upgrade.

Comments

Have a Project for Us?

Get in Touch