We are releasing a critical security patch. This patch addresses a vulnerability reported to us today which allows someone with advanced knowledge the ability to view database details. All SocialEngine Self-Hosted websites should immediately apply the patch without exception. This vulnerability appears in current releases and also dates back to early releases.
You don’t need to do a full upgrade. Follow these steps to just apply the patched file:
- Download the current files from your account at socialengine.com/login .
- Untar (similar to unzipping) the upgrade files or unzip the SocialEngine zip file. Either will work as they both have this fix.
- Open the application/ folder.
- Find the file “css.php” and using an FTP program or cpanel, upload that file to the same folder on your server, application/ . You may want to backup the current file on your server first, in case you need to revert it.
- Change your database user and password. Your host can help you with that and once done, you’ll need to edit the application/settings/database.php file and change the details there.
- You’ll need to manually clear your cache from the temporary/scaffold folder by deleting all files in that folder via FTP or cpanel file manager.
Changelog:
- application/css.php
Should you decide to perform an upgrade we highly encourage all users to do a complete backup of both files and database before performing upgrades. Please have the backup performed by your host or a developer if you’re not comfortable with performing it yourself. Always check with third party experts for compatibility with any products you use before upgrading.
Important: If you decide to do a full upgrade and are on version 4.9.4p1 or below, you will need to follow the special steps in the upgrading documents before upgrading and apply the patch mentioned there.
If you find any issues, please let us know by filing a bug report in our Bug Tracker. We’d like to encourage you to stay connected with the SocialEngine community. Security issues should be reported to our support desk by emailing us at sales@socialengine.com.
We would like to extend our greatest appreciation to OKPAR Company (OKPAR Team) who brought this vulnerability to our attention via our support channel. It is with the help of our clients that we continue to improve.
With Great Appreciation,
The SocialEngine Team