Exponent CMS Beta 2.1 Security Release

Tuesday, May 3, 2011 Tags: patch, release, bugs

Exponent 2.0 Beta 2.1 was released today in response to the report of a security vulnerability discovered by a community member. The majority of Exponent 2.0 sites are affected by this vulnerability, and all Exponent CMS users are highly advised to update their code.

The issue can be corrected in one of 3 ways:
1) Manually - Simply open up /framework/datatypes/user.php, and look for the save() method:

public function save($overrideUsername = false) {
     global $db;

     // if someone is trying to make this user an admin, lets make sure they have permission to do so.
     if(isset($params['is_admin']) || isset($params['is_acting_admin'])) $this->checkAdminFlags();

     // if the site is configured to use the email addy as the username we need to force the
     // the email address into the username field.
     if (USER_REGISTRATION_USE_EMAIL == 1 && !empty($this->email) && $overrideUsername == false) $this->username = $this->email;

The line in question is:
if(isset($params['is_admin']) || isset($params['is_acting_admin'])) $this->checkAdminFlags();

Change this to:

and that's the fix.

2) Upgrade your site to Beta 2.1 - All previous releases have been removed from the Github Download page, except for Beta 2.1 where the issue has been corrected.

3) Apply the patch - The Team has posted a patch on the download page which can be installed via Exponent's "Upload Extension" feature. This method may cause issues in older versions of Exponent 2.0, but anything past Beta 1 will be fine.

Community member Ron Miller has written a python script that will correct this issue in batch on multiple sites. It's extremely useful for servers running many Exponent 2.0 websites.

Please post any questions or comments about this issue in our Security Forum.