News archive

XSS via mime sniffing on .dat files

26th September 2019, 3:48 am

There is a vulnerability in Composr's storage of uploads as .dat files on servers. A hacker could plant code with JavaScript, then trick an administrator to running it on their machine.

This is a low-to-medium risk vulnerability. With planning, creativity, and coordination, this could result in a hacker attaining various malicious outcomes. JavaScript code does not have access to files on a user's own computer, but it can be used to automate privileged web page actions on the website it is running on.

Illicit access to stats graphs

26th September 2019, 3:48 am

Composr uses SVG for rendering out stats graphs. When stats are viewed in the Admin Zone, Composr will generate the .xml files onto disk, and then embed those files. However, the URLs to the files are predictable and not access-protected.

This is a low risk vulnerability. While illicit access to stats graphs is not acceptable, there are no wider known repercussions and similar data may be available via third-party tools anyway (such as Alexa).

Information leak on IIS

26th September 2019, 3:48 am

Hackers may directly access the URLs to various on-disk files due to lack of protection for IIS users that is built in for Apache users.
Such files include the raw source code of pages, raw templates, and raw language files.

This is a low-to-medium risk vulnerability. The majority of users are not hiding privileged content with guessable page names in Comcode pages, but for those that are, this is a concern. Access to raw templates and language files would rarely be a concern.

Composr 10.0.28 released

26th September 2019, 3:41 am

10.0.28 released. Read the full article for more information, and upgrade information.

Overhaul of project messaging

10th September 2019, 1:08 am

A number of development practices have been overhauled around how development work is messaged. This is to improve communication to Composr users and also within the development team.

Migration to GitLab

7th September 2019, 12:14 am

Composr development has moved from GitHub to GitLab.

Composr 10.1 beta20 released

14th August 2019, 4:54 pm

10.1 beta20 released. Read the full article for more information, and upgrade information.

Composr 10.0.27 released

14th August 2019, 4:46 pm

10.0.27 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta19 released

15th May 2019, 8:29 pm

10.1 beta19 released. Read the full article for more information, and upgrade information.

Security vulnerability in Composr

14th May 2019, 3:47 am

A security hole has been found in Composr. This is a serious vulnerability that affects all versions of Composr 10+. It is critical that you deploy a resolution to this vulnerability as soon as possible.

Composr 10.0.26 released

14th May 2019, 3:42 am

10.0.26 released. Read the full article for more information, and upgrade information.

Composr 10.0.25 released

10th April 2019, 7:37 pm

10.0.25 released. Read the full article for more information, and upgrade information.

Introducing the Conposr and Conposr++ frameworks

9th April 2019, 2:46 am

Introducing two new frameworks inspired by Composr, but targeted towards the development of standalone web apps.

Composr 10.1 beta18 released

21st February 2019, 2:15 am

10.1 beta18 released. Read the full article for more information, and upgrade information.

Composr 10.0.24 released

21st February 2019, 2:10 am

10.0.24 released. Read the full article for more information, and upgrade information.

compo.sr infrastructure problems (now solved)

20th February 2019, 11:10 pm

An explanation for some recent instability on compo.sr.

Composr 10.1 beta17 released

14th February 2019, 9:52 pm

10.1 beta17 released. Read the full article for more information, and upgrade information.

Composr 10.0.23 released

14th February 2019, 9:33 pm

10.0.23 released. Read the full article for more information, and upgrade information.

Topic read counts - a bug affecting users who upgraded from ocPortal

7th February 2019, 4:58 pm

We just discovered a bug affecting users who upgraded from ocPortal.

Composr 10.1 beta16 released

2nd January 2019, 12:41 am

10.1 beta16 released. Read the full article for more information, and upgrade information.

Composr 10.0.22 released

2nd January 2019, 12:28 am

10.0.22 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta15 released

9th November 2018, 4:39 pm

10.1 beta15 released. Read the full article for more information, and upgrade information.

Composr 10.0.21 released

9th November 2018, 2:14 am

10.0.21 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta14 released

19th October 2018, 5:28 pm

10.1 beta14 released. Read the full article for more information, and upgrade information.

Composr 10.0.20 released

19th October 2018, 3:04 am

10.0.20 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta13 released

6th September 2018, 8:41 pm

10.1 beta13 released. Read the full article for more information, and upgrade information.

Composr 10.0.19 released

31st August 2018, 8:22 pm

10.0.19 released. Read the full article for more information, and upgrade information.

Composr 10.0.18 released

14th July 2018, 11:20 pm

10.0.18 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta12 released

14th July 2018, 11:01 pm

10.1 beta12 released. Read the full article for more information, and upgrade information.

Composr 10.1 beta11 released

21st June 2018, 3:28 am

10.1 beta11 released. Read the full article for more information, and upgrade information.

Back to Top