News archive
XSS via mime sniffing on .dat files
26th September 2019, 3:48 am
There is a vulnerability in Composr's storage of uploads as .dat files on servers. A hacker could plant code with JavaScript, then trick an administrator to running it on their machine.
This is a low-to-medium risk vulnerability. With planning, creativity, and coordination, this could result in a hacker attaining various malicious outcomes. JavaScript code does not have access to files on a user's own computer, but it can be used to automate privileged web page actions on the website it is running on.
Illicit access to stats graphs
26th September 2019, 3:48 am
Composr uses SVG for rendering out stats graphs. When stats are viewed in the Admin Zone, Composr will generate the .xml files onto disk, and then embed those files. However, the URLs to the files are predictable and not access-protected.
This is a low risk vulnerability. While illicit access to stats graphs is not acceptable, there are no wider known repercussions and similar data may be available via third-party tools anyway (such as Alexa).
Information leak on IIS
26th September 2019, 3:48 am
Hackers may directly access the URLs to various on-disk files due to lack of protection for IIS users that is built in for Apache users.
Such files include the raw source code of pages, raw templates, and raw language files.
This is a low-to-medium risk vulnerability. The majority of users are not hiding privileged content with guessable page names in Comcode pages, but for those that are, this is a concern. Access to raw templates and language files would rarely be a concern.
Composr 10.0.28 released
26th September 2019, 3:41 am10.0.28 released. Read the full article for more information, and upgrade information.
Overhaul of project messaging
10th September 2019, 1:08 amA number of development practices have been overhauled around how development work is messaged. This is to improve communication to Composr users and also within the development team.
Migration to GitLab
7th September 2019, 12:14 amComposr development has moved from GitHub to GitLab.
Composr 10.1 beta20 released
14th August 2019, 4:54 pm10.1 beta20 released. Read the full article for more information, and upgrade information.
Composr 10.0.27 released
14th August 2019, 4:46 pm10.0.27 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta19 released
15th May 2019, 8:29 pm10.1 beta19 released. Read the full article for more information, and upgrade information.
Security vulnerability in Composr
14th May 2019, 3:47 amA security hole has been found in Composr. This is a serious vulnerability that affects all versions of Composr 10+. It is critical that you deploy a resolution to this vulnerability as soon as possible.
Composr 10.0.26 released
14th May 2019, 3:42 am10.0.26 released. Read the full article for more information, and upgrade information.
Composr 10.0.25 released
10th April 2019, 7:37 pm10.0.25 released. Read the full article for more information, and upgrade information.
Introducing the Conposr and Conposr++ frameworks
9th April 2019, 2:46 amIntroducing two new frameworks inspired by Composr, but targeted towards the development of standalone web apps.
Composr 10.1 beta18 released
21st February 2019, 2:15 am10.1 beta18 released. Read the full article for more information, and upgrade information.
Composr 10.0.24 released
21st February 2019, 2:10 am10.0.24 released. Read the full article for more information, and upgrade information.
compo.sr infrastructure problems (now solved)
20th February 2019, 11:10 pmAn explanation for some recent instability on compo.sr.
Composr 10.1 beta17 released
14th February 2019, 9:52 pm10.1 beta17 released. Read the full article for more information, and upgrade information.
Composr 10.0.23 released
14th February 2019, 9:33 pm10.0.23 released. Read the full article for more information, and upgrade information.
Topic read counts - a bug affecting users who upgraded from ocPortal
7th February 2019, 4:58 pmWe just discovered a bug affecting users who upgraded from ocPortal.
Composr 10.1 beta16 released
2nd January 2019, 12:41 am10.1 beta16 released. Read the full article for more information, and upgrade information.
Composr 10.0.22 released
2nd January 2019, 12:28 am10.0.22 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta15 released
9th November 2018, 4:39 pm10.1 beta15 released. Read the full article for more information, and upgrade information.
Composr 10.0.21 released
9th November 2018, 2:14 am10.0.21 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta14 released
19th October 2018, 5:28 pm10.1 beta14 released. Read the full article for more information, and upgrade information.
Composr 10.0.20 released
19th October 2018, 3:04 am10.0.20 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta13 released
6th September 2018, 8:41 pm10.1 beta13 released. Read the full article for more information, and upgrade information.
Composr 10.0.19 released
31st August 2018, 8:22 pm10.0.19 released. Read the full article for more information, and upgrade information.
Composr 10.0.18 released
14th July 2018, 11:20 pm10.0.18 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta12 released
14th July 2018, 11:01 pm10.1 beta12 released. Read the full article for more information, and upgrade information.
Composr 10.1 beta11 released
21st June 2018, 3:28 am10.1 beta11 released. Read the full article for more information, and upgrade information.