Security patch for phpCMS 1.2.x - User instructions =================================================== In order to close a discovered vulnerability in phpCMS 1.2.x prior to version phpCMS 1.2.1pl2, you have to replace the file parser/include/class.layout_phpcms.php in your phpCMS installation with the one from this archive. Who needs this patch? --------------------- Versions prior to phpCMS 1.2.0 beta1 (for example 1.1.x versions) are not affected by this vulnerability. But as a number of other issues were fixed since the version 1.1.9 (also some minor security fixes) we strongly recomend users of versions prior to phpCMS 1.2.0 to update their entire installation to the newest available phpCMS version which can be found at http://www.phpcms.de/download For users of phpCMS 1.2.0 beta1, 1.2.0 beta2, 1.2.0 rc1, 1.2.0 and 1.2.1 we recomend to update their entire installation to the newest available phpCMS version, which can be found at http://www.phpcms.de/download, if they are running their site with "Debug Mode" switched to "on" in the phpCMS settings. We recomend not to run phpCMS in a public environment with "Debug Mode" set to on. But if you really insist of doing so, is is highliy recomend to update your entire installation, if you're using one of the above mentioned versions. The reason is, that there was a security related bug in versions prior to 1.2.1pl1, which only is relevant if phpCMS is running with "Debug Mode" switched to "on". Users of phpCMS 1.2.0 beta1, 1.2.0 beta2, 1.2.0 rc1, 1.2.0 and 1.2.1 who are running phpCMS with "Debug Mode" set to "off" can continue using their installation, if the file parser/include/class.layout_phpcms.php is replaced by the one from this archive Users of phpCMS 1.2.1pl1 (the pl1 at the end makes the difference!) do not need to update to phpCMS 1.2.1pl2 as the only difference is the security fix in the file parser/include/class.layout_phpcms.php and therefore itīs sufficient for them to replace that file with the one from this archive. Users of phpCMS 1.2.1pl2 and newer versions can ignore this as their version has the security fix already built in. Instructions: ------------- To secure your current phpCMS installation without updating the entire installation to the newest available phpCMS package. You have to replace the file parser/include/class.layout_phpcms.php by one from this archive. To do this, you have to follow these steps: 1) Check which phpCMS Version you are currently running. There are several different ways to find out, which phpCMS version you are running * log into the phpCMS admin backend. At the bottom of the left column you will find the Version number of the phpCMS installation (for example 1.2.0 pl1 ) * View the HTML source of a contentpage, which was generated with phpCMS. At the beginning of the HTML source you will find a line like 2) Make a backup of the file parser/include/class.layout_phpcms.de in your current phpCMS installation. Important: Move this file to a location which is not accessable via the web. Best is, to download it via FTP to your local dektop PC. 3) This archive contains several versions of the file class.layout_phpcms.php for different recent phpCMS versions. Please rename the one which is corresponding to your currently installed phpCMS version to class.layout_phpcms.php and upload it to the directory parser/include/ of your webserver, overwriting the existing old file class.layout_phpcms.php 4) That's it. After that single file was replaced, your website should work as before, but with the vulnerability closed. If you have any questions regardig this, please use the phpCMS support forum at http://www.phpcms.de/forum your phpCMS Team