Important reminder
As our newsletter subscribers will be aware, two security vulnerabilities have been uncovered in the following versions of Zenario:
- 7.0.6a
- 7.0.5a, 7.0.5b and 7.0.5c
- 7.0.4a and 7.0.4b
- 7.0.3a
- 7.0.2a, 7.0.2b, 7.0.2c, 7.0.2d and 7.0.2e
(The forthcoming Zenario versions 7.0.7 and 7.1 are not affected.)
Vulnerabilities
The vulnerabilities are as follows:
- By forging a URL to the image compressor program, an attacker can make the CMS reveal the contents of configuration files on the system.
- If the USE_FORWARDED_IP option is enabled in the zenario_siteconfig.php file, an attacker can inject and run arbitrary SQL code on the database. (This option is normally only used on HAProxy/load balanced Apache configurations).
Updating
If you are using one of these versions, you should immediately update your software. Even if you do not wish to update to the latest version, we have issued patches for all previously released branches of Zenario:
- If you use 7.0.6 you should update to 7.0.6b
- If you use 7.0.5 you should update to 7.0.5c
- If you use 7.0.4 you should update to 7.0.4b
- If you use 7.0.3 you should update to 7.0.3a
- If you use 7.0.2 you should update to 7.0.2e
You can quickly update your copy of Zenario by replacing the zenario/ directory of your website with the zenario/ directory from the download, e.g.:
$ tar -xf zenario-probusiness-7.0.6c.tar.gz
$ mv /path/to/your/website/zenario /path/to/your/website/zenario_old; mv zenario-probusiness-7.0.6c/zenario path/to/your/website/zenario
$ rm -rf /path/to/your/website/zenario_old
Stay informed
We recommend all Zenario site administrators sign up to our Newsletter for the most up-to-date news.
