Several security issues affecting Blesta versions 5.0.0 through 5.9.1 have been identified. There is no evidence to suggest that these vulnerabilities are publicly known or being exploited, but you should take action now.

A path traversal vulnerability may lead to account compromise and RCE (Remote Code Execution) through vulnerability chaining. We recommend applying the appropriate patch for your release as soon as possible, or by upgrading to version 5.9.2. Given the compounding nature of these vulnerabilies, we give this an impact rating of Critical.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always run /admin/upgrade in your browser after patching or upgrading your installation. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 5.0 and 5.6, upgrade to 5.9.2.

Downloads

Download 5.9.2 Patch Download 5.9.2 Full

% blesta-5.9.2.zip
27f59fd3bc7a30dd6dc40ae619447fc5be049f2f3cd811ac5a6fc59b6d643b02

% blesta-5.9.0-5.9.2.zip
a4626ab2a8fe3f28010c368cc54b704cade6ac2fc299b7d48a3daec3ef9837e3

Download 5.8.3 Patch

% blesta-5.8.0-5.8.3.zip
5f5463e8590b837c76b1aa1c3f89b07e50efce477606b8f6b7f49543b2e9e828

Download 5.7.2 Patch

% blesta-5.7.0-5.7.2.zip
3f06d2a2a08f196725389e69db0cc3dc1ac05ba48f3a473b01ecc3d2caa3fa8f

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Resolution

• If you are running version 5.7.x, apply the 5.7.2 patch above.
• If you are running version 5.8.x, apply the 5.8.3 patch above.
• If you are running version 5.9.x, apply the 5.9.2 patch above.
• If you are running version 5.0.x through 5.6.x, upgrade to 5.9.2 Full.

Mitigation

It is best to upgrade to 5.9.2 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 5.0 through 5.6), or you need more time to upgrade, you may take the following immediate steps to mitigate.

• Visit Settings > System > General and note the location of your “Uploads Directory”.
• Assuming your uploads directory is “/path/to/uploads/” check the directory for your company ID (typically “1”) and see if you have a “themes” directory. If the directory exists, delete the directory. Example locations for this directory are: “/path/to/uploads/1/themes”, “/path/to/uploads/2/themes”, etc. Only users with addon-companies will have any directories other than “1” within the uploads directory. Ensure “themes” is deleted from each.

If your logo dissappears, you may need to visit Settings > Company > Look and Feel > Customize and set your logo using “Set Logo URL”, not “Upload Logo”. NOTE that this may result in the “themes” directory being re-created. If you perform this step, check for and delete the “themes” directory again.

We would also highly recommend ensuring that Two-Factor Authentication is enabled for all Staff accounts. Staff can set up Two-Factor Authentication under “My Info” using a token like Google Authenticator (for iOS/Android).

Credits

These issues were reported to us by Emre Hampolat in accordance with our Responsible Disclosure Policy.

Blesta 4.10.1 has been released, which addresses two bugs discovered in the 4.10.0 branch, including one security issue affecting the Order Manager with an impact rating of Moderate. More information about how we rate vulnerabilities can be found on our Security Advisories page. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/display/support/4.10.1.

Always run /admin/upgrade in your browser after patching or upgrading your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply the patch if you are running 4.10.0. If you are running an earlier version, you must download the full release.

Download 4.10.1 Patch Download 4.10.1 Full

SHA256 Sum

% blesta-4.10.1.zip
9065d52c3d916efe73474687d116fc2ec7673160e8f288fa6b53568a6e0267fa

% blesta-4.10.0-4.10.1.zip
b64ccf68814951441c4d716d1648687376bee29d0650774f1f14d3bb22c258db

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Affected Versions

All versions of the Order Manager plugin are affected.

Description

This update addresses one security concern:

1. An XSS flaw that affects the order system under certain circumstances.

Resolution

If running 4.10.0, apply the patch for 4.10.1. If running a version earlier than 4.10.0, upgrade to the full 4.10.1 release. See below for mitigation for older supported releases.

Mitigation

It is best to upgrade to 4.10.1, however, if you are running a supported version of Blesta (version 4.6, 4.7, 4.8, or 4.9) you may overwrite the following files from the 4.10.1 patch:

• /blesta/plugins/order/views/templates/ajax/config.pdt
• /blesta/plugins/order/views/templates/standard/config.pdt
• /blesta/plugins/order/views/templates/wizard/config.pdt

Credits

This item was reported by Abdellah nadi in accordance with our Responsible Disclosure Policy.

We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.

Description

This update addresses two security concerns:

1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
2. Full Path Disclosure.

Resolution

If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231

Mitigation

It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

<?php
...
Configure::set("System.debug", true);

Change this to:

<?php
...
Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).

Credits

These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.

Affected Versions

Versions 3.0.0 through 3.1.3 are affected.

Description

A user with a valid username and password may be able to properly validate two-factor authentication using TOTP by guessing the correct code. This issue is classified as a Low vulnerability. (CORE-1213)

An authenticated staff member may be able to affect settings in the system where they are otherwise prohibited via ACL restrictions, via carefully crafted HTTP POST requests under limited circumstances. This issue is classified as a Moderate vulnerability. (CORE-1163)

Resolution

If you are running 3.0.x or 3.1.0 through 3.1.3 upgrade to version 3.1.4 or version 3.2.0.

Related tasks:

1. CORE-1163
2. CORE-1213

Credits

CORE-1163 was discovered by the Blesta Development Team. CORE-1213 was discovered by Kyle at MemoryX2.

Affected Versions

Versions 3.0.0 through 3.0.9, and 3.1.0 through 3.1.1 are affected.

Description

Active and valid staff members may be able to access areas of the application without proper ACL permissions. Additionally, staff members may not be logged out immediately after being made inactive. These issues are classified as Moderate vulnerabilities. Patch release 3.0.10 and 3.1.2 correct these vulnerabilities.

Resolution

If you are running 3.0.x upgrade to version 3.0.10. If you are running 3.1.x upgrade to version 3.1.2.

Related tasks:

1. CORE-1062
2. CORE-1063
3. CORE-1064

Credits

CORE-1062 was discovered by Nerijus Barauskas at NGnTC. CORE-1063 and CORE-1064 were discovered by the Blesta Development Team.