We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.

Description

This update addresses two security concerns:

1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
2. Full Path Disclosure.

Resolution

If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231

Mitigation

It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

<?php
...
Configure::set("System.debug", true);

Change this to:

<?php
...
Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).

Credits

These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.