playSMS 1.4.3 has been released

playSMS version 1.4.3 is available for download. This version contains bugfixes and security fixes. Vulnerability found on previous playSMS considered severe and it is recommended to upgrade previous playSMS installation with version 1.4.3 as soon as possible.

Please visit this playSMS Forum post for more information.

UPDATE

Technical advisory about certain security vulnerability of playSMS related to this release has been published by Lucas Rosevear of NCC Group:

[SECURITY] playSMS 1.0-beta1

This version fix the CSRF exploit reported here:
http://www.exploit-db.com/exploits/30177/

Along with the fix there are also several bug fixes and enhancements.

Download playSMS version 1.0-beta1 here:
https://github.com/antonraharja/playSMS/releases/tag/1.0-beta1

Here are the complete change log for 1.0-beta1:

  • MAJOR: add core_call_hook(), utilizing debug_backtrace() to replace the way functions call hooking plugin’s functions
  • MAJOR: user_incoming and all_incoming now only shows SMS with matched keyword, or handled SMS
  • MAJOR: fix #155 SECURITY HOLE, CSRF exploit
  • remove default timezone and language from database, tblUser
  • add an option to allow/disallow regular user access to sms_command
  • add dlr-storage=internal and mo-recode=true, and a few other changes in contrib/kannel/kannel.conf
  • add ta=SX webservices handler for retrieving sandbox messages
  • add DB DSN options
  • add new language Russian ru_RU (dvoryanchikov)
  • update catalan language ca_ES (aseques)
  • update inluded php-db to version 1.7.14
  • update to try to limit browser zoom, viewer should not be able to zoom/scale
  • use sendsms() and remove sendsms_bc() while sending SMS, the goal was to remove duplicated entries when user send to group and numbers that actually already included in group
  • fix #100 1 contact in multiple group, also major changes on the backend
  • fix #119 missing phonebook edit
  • fix #127 queuelog entries should be removable
  • fix #128 add webservices method ta=set_token to update webservices token
  • fix #129 remove smsc=default, kannel gateway, users might miss this when debugging
  • fix #137 add new admin menu, sandbox, since now all incoming sms and user incoming sms only shown handled SMS
  • fix #146 security fix: prevent use of special characters such as ; or / (dvoryanchikov)
  • fix #147 fixes in localization (dvoryanchikov)
  • fix #148 fix duplication of search results at send_sms page (dvoryanchikov)
  • fix #151 email field length in user_pref too short, and possibly in other places as well

Discuss this here.