As a security-conscious Textpattern CMS user, it’s important that I inform you about CVE-2014-4737 . A vulnerability was discovered in Textpattern 4.5.5 that allowed a carefully-crafted URL to be used in a cross-site scripting (XSS) exploit. This vulnerability was responsibly reported and subsequently fixed by the Textpattern development team for the Textpattern 4.5.7 release – so if you’re running 4.5.7 you’re not affected. If your Textpattern instance is version 4.5.5 or earlier, you are strongly recommended to upgrade to 4.5.7.
The nature of the exploit requires the `/textpattern/setup` directory to be in place. As the name implies, this folder is required for the initial Textpattern setup and should be deleted after the installation. A note in the installation routine recommends this, but as there is no automated removal of the `textpatten/setup` directory it’s possible that it can be overlooked. Regardless of the version of Textpattern you’re running, if you’ve removed the `textpattern/setup` directory your Textpattern is not susceptible to this exploit.
This is somewhat subjective, but Textpattern has a relatively low number of reported exploits when compared to some other CMSes. Of course, Textpattern has a notably lower install base compared to the same CMSes, so it stands to reason there’re fewer pairs of eyes looking at it. A previous version of Textpattern, version 4.4, was affected by CVE-2011-5019 – again, an XSS exploit concerning the `textpatten/setup` directory. Before that, a small handful of exploits affected Textpattern 4.3 and 4.2. In each case, the exploits were reported, fixed and made available.
The key point in all this is to remember your CMS instance, whether it’s Textpattern or something else, should be maintained according to the recommendations of people who know about these things. Keep your CMS(es) safe by updating and upgrading when advised to.
If you intend to upgrade your Textpattern instance to 4.5.7 — and I strongly recommend you do — the `textpattern/setup` is not vulnerable. In addition, if you’re upgrading rather than installing, the `textpattern/setup` is irrelevant and can be safely ignored. In my next article I’ll be introducing you to Textpattern 4.5.7 properly and explaining some of the changes that have been made, and after that I’ll be showing you how to upgrade your installation. Additionally, there’s going to be an article on how to strip down the Textpattern 4.5.7 distribution for a smaller total upload if your connection isn’t as good as you’d like it to be. The end result will be an updated Textpattern installation with the same functionality, but less of a FTP payload – saving you time and bytes. I hope you’ll join me.