We are releasing a security patch. This patch addresses a CSRF vulnerability reported to us which allows someone with advanced knowledge the ability to take over an account by changing the email if the website allows HTML and if advanced code were injected to the website due to allowing HTML or iframes. We recommend that all SocialEngine PHP websites apply the patch as a precaution.
You don’t need to do a full upgrade. Follow these steps to just apply the patched file.
- Download the current files from your account at socialengine.com/login .
- Untar (similar to unzipping) the upgrade files or unzip the SocialEngine zip file. Either will work as they both have this fix.
- Open the application/modules/User/Form/Settings/ folder.
- Find the file “General.php” and using an FTP program or cpanel, upload that file to the same folder on your server, application/modules/User/Form/Settings . You may want to backup the current file on your server first, in case you need to revert it.
- Clear your website cache.
Changelog:
- application/modules/User/Form/Settings/General.php
We recommend not allowing members to add iframes and only allowing HTML to be used by trusted members.
Should you decide to perform an upgrade we highly encourage all clients to do a complete backup of both files and database before performing upgrades. Please have the backup performed by your host or a developer if you’re not comfortable with performing it yourself. Always check with third party experts for compatibility with any products you use before upgrading.
Important: If you decide to do a full upgrade and are on version 4.9.4p1 or below, you will need to follow the special steps in the upgrading documents before upgrading and apply the patch mentioned there.
If you find any issues, please let us know by filing a bug report in our Bug Tracker. We’d like to encourage you to stay connected with the community. Security issues should be reported to our support desk by emailing us at support@socialengine.com.
We would like to extend our greatest appreciation to Sanjay Lendhar who brought this vulnerability to our attention via our support channel. It is with the help of our clients that we continue to improve.
With Great Appreciation,
The SocialEngine Team
