MKRD.info - Thorough articles on a variety of topics, and no ads!

Correct 1.9.4.3 upgrade patch files

I am EXTRAORDINARILY surprised by the lack of response from CMSMS developers about blatant security flaws and bugs in the 1.9.4.3 upgrade patch files, ESPECIALLY since the patch was supposed to be a "security release".

Developers have been notified instantly about problems with release files.

I myself have tested the patch THE SECOND DAY after release. Unfortunately, since I have a real job, I only had time to apply it to a production server (BIG MISTAKE). It immediately broke my TinyMCE editor functionality.

So, on the forum I go to post my findings on 28 Aug 11:

"Be careful, everyone. This release overwrites several files, including TinyMCE files. This assumes that you have the latest version of tiny installed. If you are not, your tiny module will not work properly until you upgrade and reapply release patch files to the tiny folder."

Like I said, I have a REAL JOB and REAL LIFE, and the quick post I because I have little time to pre-digest for developers how exactly they screwed up. If they released a patch that is itself a BUG and a SECURITY issue, then it is THEIR job to pull it, fix it, notify others, and release a proper patch. that is what REAL QC is all about. Apparently, I know about QC more than certain others.

What do I get in response? An instant threat of a ban by Calguy:

"Warning

calguy1000

I deleted your posts about 1.9.4.3 because they were infammatory[sic] and contained no information. Whereas the other person in that thread actually supplied some.

If you recall this is exactly the same reason we temporarily banned you before...

the next ban will be permanent."

That is how CMSMS dev team, under the dictatorship of calguy, handles notices of security flaws with CMSMS.

Why a threat? Because I have put in the work to test many CMSMS modules, and I get feedback from my customers and website visitors. Over the years, I have posted of MANY problems with CMSMS, several of them being from calguy's modules.

I have saved posts dealing with my reports of security flaws with Ecommerce modules upgrade problems, CGFeedback email publicly posted privacy issue, and several others.

It took me a while, after several threats and hints, to realize that CMSMS team, under the dictatorship of calguy, does not tolerate public posts about problems with CMSMS. I have proof to this effect as well. They will only tolerate notices about security flaws if it is told to them in secret, and explained to them perfectly. If someone posts publicly, or does not pre-digest the issue for them, they get banned instantly from the forum.

And I wasn't the only one dissatisfied with the dictatorship politics. There was an "Open Letter to CMSMS community" posted, publicly saying exactly what I am saying. Several members have resigned from participation in the forum.

This brings us back to the issue at hand. A 1.9.4.3 patch was released some time ago (Aug 30, 2011). Developers were notified by myself and others that there were serious security flaws with the patch files. Namely:

1) Several .htaccess files that are supposed to protect files in their directories from being called directly in the browser get overwritten with zero-length files, which eliminate the protection.

2) TinyMCE files get overwritten with files which break TinyMCE WYSIWYG editor functionality (it becomes unusable)

3) Language files get overwritten with zero length files, corrupting language strings.

What does the development team do? They merrily go on releasing 1.10 beta and sweep the issue under the rug. Meanwhile, more and more people download those release file, and proceed to break their website admin functionality.

People keep posting about this issue on the forums, and no one tells them that they are describing a well known problem.

Therefore, I have taken the step to post on my own website, where no children can ban me, and where I can post proper CMSMS upgrade files.

Here goes:

1) cmsmadesimple-1.9.4.3-english.tar.gz AND cmsmadesimple-1.9.4.3-full.tar.gz files have the issue. Do not upgrade or install using these files.

2) cmsmadesimple-1.9.4.2-base.tar.gz AND cmsmadesimple-1.9.4.2-full.tar.gz files are OK, but they need to have a patch applied if you use the News module (read about this below).

3) cmsmadesimple-english-diff-1.9.4.1-1.9.4.3.tar.gz AND cmsmadesimple-full-diff-1.9.4.1-1.9.4.3.tar.gz AND cmsmadesimple-english-diff-1.9.4.2-1.9.4.3.tar.gz AND cmsmadesimple-full-diff-1.9.4.2-1.9.4.3.tar.gz  have this issue. Do not upgrade from .1 to .3, OR .2 to .3. First upgrade to .2 using one of the two files below, then apply my .3 patch.

4) cmsmadesimple-base-diff-1.9.4.1-1.9.4.2.tar.gz AND cmsmadesimple-full-diff-1.9.4.1-1.9.4.2.tar.gz are OK.

5) To upgrade from 1.9.4.2 to 1.9.4.3, I have edited released files to remove issues described above. 

If you need to upgrade an English language files only installation, then use: cmsmadesimple-english-diff-1.9.4.2-1.9.4.3.zip

If you need to upgrade an installation with all languages installed, then use: cmsmadesimple-full-diff-1.9.4.2-1.9.4.3.zip

6) I do not know whether checksum files are correct or not, and whether my files will pass checksum tests. ATTENTION: uploading patch files by FTP very often causes errors. I see errors due to FTP transfers myself all the time. The correct way to upgrade is extensively described on my website. You must backup CMSMS first. Then, upload these files to your server without extracting, and use your hosting control panel file manager's utility or SSH to extract files on your server, to avoid transmission incompatibilities and errors.

7) Finally, I have made an "anti-patch", if you have applied one of the patch files from step #3 and messed up your installation. Apply cmsmadesimple-ANTI-1.9.4.2-OR-1.9.4.3-BOTH.zip. You will need to also go to /admin/lang/ext and delete the empty FILE en_CY if it exists. Also go to /lib and /tmp, and delete a zero or 1 byte length .htaccess file, if it exists there. This file will clean up after using any of the step #3 patches. It will maintain 1.9.4.3 functionality, and take care of broken functionality. Magic!

If you need other file formats (.tar.gz, .rar, etc), or need any help, then feel free to contact me.

Further reading: Announcing CMSMS 1.9.4.3 - Important Security Release, Open Letter to CMSMS community

˅˅˅ Additional valuable information is available at one of the links below: ˅˅˅