This is a low risk vulnerability. While illicit access to stats graphs is not acceptable, there are no wider known repercussions and similar data may be available via third-party tools anyway (such as Alexa).
AffectsAll Composr (and ocPortal) versions are affected.
Apache servers are affected, but IIS servers are usually not.
Upgrade ComposrVersion 10.0.29 has been released and fixes the security hole.
Apache users may add the following code to their main .htaccess file:
RewriteRule ^data_custom/modules/admin_stats/(.*)\.xml adminzone/stats_graph.php?file=$1 [L,QSA]
This requires the Apache mod_rewrite module being enabled, which probably is.
IIS users may upload the latest web.config from 10.0.29, which includes the equivalent code.
Both Apache and IIS users must upload adminzone/stats_graph.php and sources/stats.php from 10.0.29. These are new files, so nothing is being overwritten.
Checking for exploit attemptsCheck your web server logs for unexpected access to URLs under data_custom/modules/admin_stats/.
Technical explanationThe developers didn't consider the case of malicious users manually accessing SVG graph URLs.
How the fix worksVersion 10.0.29 will deny direct access to the .xml files, instead serving the data through an intermediary script which checks permissions.
The workaround will redirect any web requests to the .xml files to the intermediary script so that all the stats code does not need patching.