We are releasing a critical security patch. This patch addresses a vulnerability reported to us today which allows someone with advanced knowledge the ability to view database details. All SocialEngine PHP websites should immediately apply the patch without exception. This vulnerability appears in current releases and also dates back to early releases.
You don’t need to do a full upgrade. Follow these steps to just apply the patched file.
Changelog:
Should you decide to perform an upgrade we highly encourage all users to do a complete backup of both files and database before performing upgrades. Please have the backup performed by your host or a developer if you’re not comfortable with performing it yourself. Always check with third party experts for compatibility with any products you use before upgrading.
Important: If you decide to do a full upgrade and are on version 4.9.4p1 or below, you will need to follow the special steps in the upgrading documents before upgrading and apply the patch mentioned there.
If you find any issues, please let us know by filing a bug report in our Bug Tracker. Security issues should be reported to our support desk by emailing us at support (at) socialengine (dot) com.
We would like to extend our greatest appreciation to OKPAR Company (OKPAR Team) who brought this vulnerability to our attention via our support channel. It is with the help of our clients that we continue to improve.
With Great Appreciation,
The SocialEngine Team
When clearing the cache at temporary/scaffold - in addition to the CSS files, should you also clear(delete) the folder? I have a folder in that directory called application that also contains CSS files from the theme we are using.
So is it delete all files or delete all files and folders in the temporary/scaffold area?
The steps says to clear all files but leave the index.php in that scaffold folder. When we say clear all files, we mean files and folders. You could just rename the folder and copy the index.php file from it into a new scaffold folder you make but make sure you set the permissions back the way they were in order for stuff to work.
If you have support we will apply the patch for you under your support plan for an issue like this so you don't need to purchase the upgrade service unless you are below 4.10.3p3 and just want to upgrade. If so, please contact us via your support ticket (log in at socialengine.com/login and click the support area) and we can give you a link in a ticket or you can (after being logged in) go to the marketplace and you'll see the menu there for the customer store where the install, upgrade and other services are purchased.