Announcing CMSMS 1.12.2 (kolonia)
Today we are announcing CMS Made Simple 1.12.2, a release primarily addressing a security concern.
This release addresses a concern about how the HTTP_HOST header can potentially be spoofed in some circumstances resulting in various problems including the fact that all links from your site could be altered to point to another domain.
We have modified the code such that this is no longer easily possible. This change will not be of a concern for most installations, but on some sites where the same installation of CMS Made Simple can be accessed by requesting different domains some modifications may be required.
In CMSMS 1.12.2 we introduced a new config variable entitled 'host_whitelist' which provides an absolute list of which hosts your installation will support. Developers using installations that support some kind of multi-site configuration will need to review the documentation for this config variable in the doc/config_reference.pdf file distributed with CMSMS 1.12.2 and adjust their config.php file accordingly.
Additionally, there are a few very minor fixes included with 1.12.2, including some fixes to the cms_url class.
This release encapsulates the CMSMailer 5.2.14 security vulnerability that was previously addressed as a new CMSMailer module version.
As previously announced, we will continue to support the 1.12.x series for critical bugs and security fixes until 365 days after the release of CMSMS 2.0, which occurs in September 2016.
Thank you for your time, and we encourage you to upgrade your CMSMS installations as soon as possible. You can download 1.12.2 from the CMSMS forge at: http://dev.cmsmadesimple.org/project/files/6
Many thanks to Mickaël WALTER at i-tracing.com for finding this issue and kindly reporting it to us.
Thank you for your time, and have fun with CMSMS.
Your CMSMS Dev Team