Blog

Security Advisory - Blesta 4.10.1 Patch Released

June 10, 2020 | Posted by Paul


Blesta 4.10.1 has been released, which addresses two bugs discovered in the 4.10.0 branch, including one security issue affecting the Order Manager with an impact rating of Moderate. More information about how we rate vulnerabilities can be found on our Security Advisories page. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at https://docs.blesta.com/display/support/4.10.1.

Always run /admin/upgrade in your browser after patching or upgrading your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply the patch if you are running 4.10.0. If you are running an earlier version, you must download the full release.

Download 4.10.1 Patch Download 4.10.1 Full

SHA256 Sum

% blesta-4.10.1.zip
9065d52c3d916efe73474687d116fc2ec7673160e8f288fa6b53568a6e0267fa

% blesta-4.10.0-4.10.1.zip
b64ccf68814951441c4d716d1648687376bee29d0650774f1f14d3bb22c258db

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Affected Versions

All versions of the Order Manager plugin are affected.

Description

This update addresses one security concern:

  1. An XSS flaw that affects the order system under certain circumstances.

Resolution

If running 4.10.0, apply the patch for 4.10.1. If running a version earlier than 4.10.0, upgrade to the full 4.10.1 release. See below for mitigation for older supported releases.

Mitigation

It is best to upgrade to 4.10.1, however, if you are running a supported version of Blesta (version 4.6, 4.7, 4.8, or 4.9) you may overwrite the following files from the 4.10.1 patch:

  • /blesta/plugins/order/views/templates/ajax/config.pdt
  • /blesta/plugins/order/views/templates/standard/config.pdt
  • /blesta/plugins/order/views/templates/wizard/config.pdt

Credits

This item was reported by Abdellah nadi in accordance with our Responsible Disclosure Policy.

Security Advisory

August 2, 2016 | Posted by Paul


We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.

Description

This update addresses two security concerns:

  1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
  2. Full Path Disclosure.

Resolution

If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231

Mitigation

It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

<?php
...
Configure::set("System.debug", true);

Change this to:

<?php
...
Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).

Credits

These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.

Tags:

Blesta 3.1.2 & 3.0.10 Patch Released

February 26, 2014 | Posted by Paul


A patch has been released for Blesta that addresses bugs discovered since 3.1.0 was released. This patch also addresses various staff permission issues that affect 3.0.0-3.0.9 and 3.1.0-3.1.1. Please see the advisory. If you have untrusted staff users, we strongly recommend patching your installation.

You can read more information about this patch, including the release notes, on our forums:

For 3.0.10 see http://www.blesta.com/forums/index.php?/topic/2035-release-3010/ A patch has been released for Blesta that addresses bugs discovered since 3.1.0 was released. This patch also addresses various staff permission issues that affect 3.0.0-3.0.9 and 3.1.0-3.1.1. Please see the advisory. If you have untrusted staff users, we strongly recommend patching your installation.

You can read more information about this patch, including the release notes, on our forums:

For 3.0.10 see http://www.blesta.com/forums/index.php?/topic/2035-release-3010/

For 3.1.2 see http://www.blesta.com/forums/index.php?/topic/2036-release-312/

Download Link

blesta-3.0.0-3.0.10.zip (3.0.10 patch)
blesta-3.1.0-3.1.2.zip (3.1.2 patch)

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual. Don’t forget to run /admin/upgrade in your browser.

Blesta 3.1.1 & 3.0.9 Patch Released

February 12, 2014 | Posted by Paul


A patch has been released for Blesta that addresses bugs discovered since 3.1.0 was released. This patch also addresses a security vulnerability that affects 3.0.0-3.0.8 and 3.1.0. Please see the advisory. We strongly recommend patching your installation.

You can read more information about this patch, including the release notes, on our forums:

For 3.0.9 see http://www.blesta.com/forums/index.php?/topic/1950-release-309/[A patch has been released for Blesta that addresses bugs discovered since 3.1.0 was released. This patch also addresses a security vulnerability that affects 3.0.0-3.0.8 and 3.1.0. Please see the advisory. We strongly recommend patching your installation.

You can read more information about this patch, including the release notes, on our forums:

For 3.0.9 see http://www.blesta.com/forums/index.php?/topic/1950-release-309/]2

For 3.1.1 see http://www.blesta.com/forums/index.php?/topic/1951-release-311/

Download Link

blesta-3.0.0-3.0.9.zip (3.0.9 patch)
blesta-3.1.0-3.1.1.zip (3.1.1 patch)

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual. Don’t forget to run /admin/upgrade in your browser.

Blesta 3.0.7 Patch Released

December 20, 2013 | Posted by Paul


A patch has been released for Blesta that addresses bugs discovered since 3.0.6 was released. It also includes three security fixes, two of which were discovered as part of our internal review process. While these issues have a low to moderate impact rating, we strongly recommend upgrading to 3.0.7.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/1660-release-307/ A patch has been released for Blesta that addresses bugs discovered since 3.0.6 was released. It also includes three security fixes, two of which were discovered as part of our internal review process. While these issues have a low to moderate impact rating, we strongly recommend upgrading to 3.0.7.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/1660-release-307/

Download Link

blesta-3.0.0-3.0.7.zip

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.