VERSION 2.62 - JULY 15, 2014 - (SECURITY ENHANCEMENTS) - Aug 30th, 2014
|
SERVER REQUIREMENTS: Since v2.50 the requirements are: PHP 5.2.4+ and MySQL 5.0+
NEW FEATURES
- Code Generator: Added new code generator for Category Menus
- Email Templates: Added new fields for: CC, BCC, and Reply-to
- Security: Added new "Security Settings" section under: Admin, General Settings
- Security: Custom generated "Security Tips" for the current server and connection are now displayed in red under "Security Settings"
- Security: Numerous security enhancements and new features (see below):
SECURITY ENHANCEMENTS
- Security: Password encryption is now required (ALL previous passwords are automatically encrypted on cms upgrade, a failed logins, or first login with a plaintext password)
- Security: To prevent identification, program version, build, and license info are now hidden from HTML footer code
- Security: expose_php is now disabled in /cmsb/php.ini to prevent broadcasting PHP version (custom php.ini not supported on all servers)
- Security: Enabled secure cookies by default - all cookies set on HTTPS:// connections can't be read from HTTP:// connections
- Security: PHP Sessions now force and require secure cookies when created on HTTPS:// connections
- Security: All PHP errors and warnings are now logged in a common file for easy review.
- Security: PHP errors are now all logged in the same secure log file which is here: data/php_error.log.php
- Security: Disabled browser autocomplete on all CMS forms with HTML5 attribute autocomplete="off" (previously done with javascript)
- Security: Disabled browser autocomplete on all password input fields with HTML5 attribute autocomplete="off"
- Security: Disabled browser autocomplete for browsers that ignore autocomplete with hidden field workaround: http://crbug.com/352347#c11
- Security: Added 1-3 second delay after failed login attempt to delay brute-force dictionary password attacks
- Security: Post-login redirects are now limited to application urls only
- Security: CMS uploads and assets (js libraries, etc) are now stored separately to prevent revealing admin folder name
- Security: CMS now displays a warning and automatically rejects form submissions from outside the CMS to prevent CSRF attacks
- Security: CMS now displays a warning and automatically rejects links from outside the CMS to prevent CSRF attacks
- Security: CMS now displays a warning for direct/manual links with no referer to prevent CSRF attacks
- Security: CMS menus now only accept POST form submissions to prevent CSRF (Cross-Site Request Forgery) attacks
- Security: CMS menus now check HTTP_REFERER and only accept form submissions from the CMS url to prevent CSRF attacks
- Security: CMS menus now warn when no HTTP_REFERER is sent to prevent CSRF and malicious URL attacks
- Security: CMS menus now check for unique session token on each form submission to prevent CSRF attacks
CODE CHANGES & BUG FIXES
- WYSIWYG: Fixed issue where wysiwyg wouldn't work on some servers that had output compression enabled
- WYSIWYG: Added workaround for servers with broken gzencode() function that always returned 'stream error'
- Bugfix: Added workaround for white-screen segfault/crash bug in PHP versions before 5.2.14 or 5.3.3 - https://bugs.php.net/bug.php?id=51552
- Bugfix: prevent realUrl() and redirectBrowserToUrl() from returning multiple slashes in some situations
- Bugfix: Fixed issue where cms list search fields showed as selected if they had a value of zero
- Bugfix: Fixed case of useDatePicker (uppercase P) in settings file, corrects issue that caused datepicker option to be unselectable in settings
- Bugfix: My Account menu wouldn't let you save settings unless you entered password again (should only be requied when changing password)
- Bugfix: Default Account "Expiry Date" field year range now defaults to 5 years before/ahead of current date, not 2008-2016
- Bugfix: Background Tasks cron.php script will not dispatch any tasks unless software is installed.
- Bugfix: saveSettings() won't allow settings to be saved from command-line scripts until software has been installed from web
- Compatibility: Rewrote code that could not be uploaded to some GoDaddy FTP servers due to false-positive from server-side virus scanner.
- Compatibility: Fixed a problem with getPrevAndNextRecords() which caused it not to function correctly on some MySQL servers.
- Compatibility: Added improved detection for "Suhosin PHP patch" to Admin > General to help debugging of issues caused by Suhosin
- Compatibility: Improved outbound network connectivity test that is run on install to detect common network misconfigurations and provide tips.
- Plugins: Added new filters: showUploadPreview_html
- Misc Code and other minor improvements
|
The materials on this web site have been created for use with CMS Builder content management software. CMS Builder software is published and licensed for use by InteractiveTools.com. Please contact
Interactive Tools for information on the downloading of the software or the purchasing of licenses.