A security exploit was discovered today affecting both the SocialEngine Core (up to version 4.1.2p1) and the Forum plugin (up to version 4.1.2). The exploit allows a registered user to delete content that doesn’t belong to them. While this won’t threaten the integrity of your server or even your SocialEngine installation itself, it does pose a risk to the content added by your own users.
Anyone using these versions on their current installations should upgrade immediately.
To upgrade the Forum plugin, please login to the client area, download the latest version of the Forum plugin (version 4.1.2p1), and follow the package installation instructions.
To solve the exploit in the SocialEngine Core, you can download the patch here. Follow the package installation instructions to perform the upgrade. If you would prefer to apply the fix directly to your site, simply open /application/modules/Authorization/Controller/Action/Helper/RequireAuth.php to line 61. You should see the following:
public function setAuthParams($resource = null, $role = null, $action = null)
{
Change it to:
public function setAuthParams($resource = null, $role = null, $action = null)
{
$this->clearAuthParams();
We sincerely apologize for the inconvenience. We take security issues VERY seriously and dedicated 100% of our technical staff to get this fix out right away. If you have any questions, please don’t hesitate to contact us or post a comment here.
Update: It has come to our attention that if you have the Events plugin and apply the fix above, an error occurs on the My Events page. To solve this issue, open /application/modules/Event/controllers/IndexController.php to line 125 and change
if( !$this->_helper->requireAuth()->setAuthParams(null, null, 'edit')->isValid() ) return;
to
if( !$this->_helper->requireAuth()->setAuthParams('event', null, 'edit')->isValid() ) return;
This fix will be included in the version 4.1.3 release this Wednesday
