SocialEngine PHP 4.10.3p4 Critical Security Release

    • Moderator
    • 6923 posts
    October 26, 2018 1:19 PM EDT

    We are releasing a critical security patch. This patch addresses a vulnerability reported to us today which allows someone with advanced knowledge the ability to view database details. All SocialEngine PHP websites should immediately apply the patch without exception. This vulnerability appears in current releases and also dates back to early releases.

    You don’t need to do a full upgrade. Follow these steps to just apply the patched file.

    • Download the current files from your account at socialengine.com/login .
    • Untar (similar to unzipping) the upgrade files or unzip the SocialEngine zip file. Either will work as they both have this fix.
    • Open the application/ folder.
    • Find the file “css.php” and using an FTP program or cpanel, upload that file to the same folder on your server, application/ . You may want to backup the current file on your server first, in case you need to revert it.
    • Change your database user and password. Your host can help you with that and once done, you’ll need to edit the application/settings/database.php file and change the details there.
    • You’ll need to manually clear your cache from the temporary/scaffold folder by deleting all files in that folder via FTP or cpanel file manager. Leave the index.php file in there.

    Changelog:

    • application/css.php

    Should you decide to perform an upgrade we highly encourage all users to do a complete backup of both files and database before performing upgrades. Please have the backup performed by your host or a developer if you’re not comfortable with performing it yourself. Always check with third party experts for compatibility with any products you use before upgrading.

    Important: If you decide to do a full upgrade and are on version 4.9.4p1 or below, you will need to follow the special steps in the upgrading documents before upgrading and apply the patch mentioned there.

    If you find any issues, please let us know by filing a bug report in our Bug Tracker Security issues should be reported to our support desk by emailing us at support (at) socialengine (dot) com.

    We would like to extend our greatest appreciation to OKPAR Company (OKPAR Team) who brought this vulnerability to our attention via our support channel. It is with the help of our clients that we continue to improve.

    With Great Appreciation,

    The SocialEngine Team


    This post was edited by socialenginestaff at October 31, 2018 5:03 AM EDT
    • 1 posts
    October 26, 2018 5:15 PM EDT

    When clearing the cache at temporary/scaffold - in addition to the CSS files, should you also clear(delete) the folder? I have a folder in that directory called application that also contains CSS files from the theme we are using.

     

    So is it delete all files or delete all files and folders in the temporary/scaffold area?

    • Moderator
    • 6923 posts
    October 26, 2018 7:16 PM EDT

    The steps says to clear all files but leave the index.php in that scaffold folder. When we say clear all files, we mean files and folders. You could just rename the folder and copy the index.php file from it into a new scaffold folder you make but make sure you set the permissions back the way they were in order for stuff to work.


    This post was edited by socialenginestaff at October 26, 2018 7:17 PM EDT
    • 201 posts
    October 29, 2018 7:48 PM EDT
    Hi Donna. I’ve been looking at this and I can see a mistake in the process could be a real problem. I know SE provides an upgrade service or to apply the patch, but I just can’t seem to find it to buy in my dashboard or in the marketplace would you have a link to that service.
    • Moderator
    • 6923 posts
    October 30, 2018 4:23 AM EDT

    If you have support we will apply the patch for you under your support plan for an issue like this so you don't need to purchase the upgrade service unless you are below 4.10.3p3 and just want to upgrade. If so, please contact us via your support ticket (log in at socialengine.com/login and click the support area) and we can give you a link in a ticket or you can (after being logged in) go to the marketplace and you'll see the menu there for the customer store where the install, upgrade and other services are purchased.