mojoPortal 184.108.40.206 is available now on our download page.
The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.
In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.
What Versions are Vulnerable?
I’m pretty sure this vulnerability was introduced in version 220.127.116.11 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.
Upgrade is Highly Recommended
Ugrading to mojoPortal 18.104.22.168 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 22.214.171.124, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.
Anything Else New This Release?
There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.
There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.
Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.