In the past several days, there have been a number of articles raising the alarm about content management systems which allow executable files to be uploaded by an administrator, who already has complete control over the website.
The latest version of Concrete, 8.5.4, includes a security fix which adds more file types, including PHP, to the file extensions blocklist to protect less knowledgeable website admins and editors from uploading sketchy files. To take advantage of this increased security feature, we highly recommend updating to version 8.5.4 as soon as possible.
We are happy to say that we have had no reports of this vulnerability in the wild. Still, we are noticing an uptick of security journalists and cybersecurity blogs mentioning the exploit and want to remind our community to update.
Background
This vulnerability was reported to us via Hackerone—and we released a fix in version 8.5.3 on June 4 2020. This fix was publicized in GitHub (https://github.com/concrete5/concrete5/releases/tag/8.5.3), on concrete5.org (https://documentation.concrete5.org/developers/introduction/version-history/853-release-notes), In NIST’s National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2020-11476).
How Can I Update?
Don’t forget to make a backup! Then choose your upgrade method from our documentation here: https://documentation.concrete5.org/developers/introduction/installation/upgrading-concrete5
Clients Hosting with PortlandLabs
Clients who host their Concrete sites with PortlandLabs can choose to let us manage all updates on their behalf before vulnerabilities are disclosed.
Can’t Update Right Now? Configure Your Webserver!
An additional compensating control, separate from the fix, is to configure the webserver to disallow executing any files uploaded to /application/files. Anyone who does not wish to upgrade can implement this alternative.
Hire Someone
If you're looking for someone who can really work with you hands on to uprade and maintain a sites on a tight budget, you should post to our job board here: http://concrete5.org/community/jobs
HUGE Thank You!
Thank you to Edgescan and Senior information security consultant, Guram Javakhishvili for reporting the security issue in Hackerone.
Thank you mlocati for providing us with the fix, we really appreciate your contributions.
Our mission is to “build a web for the greatest good.” Keeping the public informed about security fixes for Concrete is very important to us.
If you are a Journalist we would be more than happy to review for technical accuracy and provide feedback on any article you might write. Please contact us here.