Tag: security

playSMS 1.4.7 Released

News, Releases

playSMS version 1.4.7 has been released. This release contains several major changes for performance updates and some security related updates.

What’s Changed

  • Reduce or change some steps for faster database access during sending SMS and updating DLRs
  • Simplify db query for faster page load on Reports
  • Better search form on Reports
  • Provides SQL file for applying db table indexes
  • Remove dependency to PEAR/DB, now use PDO for db operations
  • Compatibility with PHP 8
  • Fix some bugs and security related

Full Changelog: https://github.com/playsms/playsms/compare/1.4.6…1.4.7

Installation: https://github.com/playsms/playsms/blob/1.4.7/INSTALL.md

Download: https://github.com/playsms/playsms/releases/tag/1.4.7

Please note that upgrade may not be simple as this version has updates on composer and database structure. Detail instruction for upgrading existing previous version of playSMS will be available soon.

playSMS 1.4.6

News

playSMS version 1.4.6 has been released. This release contains several small fixes and 1 security fix. If you are using playSMS 1.4.5 please update it to this version.

This version only have several file changes so you can just replace all files with this release, no database changes. Follow instruction similar to this howto to upgrade your previous version to 1.4.6.

Get playSMS 1.4.6 from here.

Read complete full changelog compare to 1.4.5 from here.

Visit playSMS forum for more information and discussion.

playSMS 1.4.5 Released

Security

Update: steps of upgrade described in this post will also work for playSMS version 1.4.6, just think/change all 1.4.5 with 1.4.6

playSMS version 1.4.5 is available for download. This version contains bugfixes and security fixes. Vulnerability found on previous playSMS (version 1.4.3 and below) considered severe and it is recommended to upgrade previous playSMS installation to version 1.4.5 as soon as possible.

Get playSMS version 1.4.5 from download page.

Please note that upgrading from 1.4.3 to 1.4.5 is rather simple, no database update required:

  1. Make backups, you can do full backup or just the PHP files
    • Upgrading form 1.4.3 to 1.4.5 does require only to replace PHP files
    • No database update requires
  2. Get new version 1.4.5 from download page
  3. Exract the playsms-1.4.5.tar.gz (or 1.4.5.tar.g depends on how you download it) and run ./getcomposer.sh
    • After extract you will see playsms-1.4.5 forlder
    • cd inside the folder and run ./getcomposer.sh, pay attention to the result and see if any errors occured
    • Updating the composer packages is important, do not miss it
  4. Replace all web PHP files on your 1.4.3 installation folder with the new version
    • Make sure that you do not replace your own/existing config.php
    • Make sure that PHP files are replaced properly, especially files under lib/ and plugin/core/ folder

Please visit this playSMS Forum post for more information.

Upgrading playSMS

Security

As of today the latest stable release is playSMS 1.4.3. This version is very important, it contains fixes to critical security vulnerability. If you have installed and currently running previous version such as playSMS 1.4.2 then you must upgrade it immediately.

Upgrading playSMS is about replacing all files and folders, and run an SQL DB upgrade. Upgrades in playSMS rarely deleting old files, more like modifying them so that you can just replace them with the new one, unless ofcourse specifically said otherwise.

This article is a guide for howto upgrade previous version of playSMS. You already have a working playSMS and its one-version behind the latest stable release, for example you have 1.4.2 installed and now released 1.4.3.

Continue reading “Upgrading playSMS”

playSMS 1.4.3 has been released

Security

playSMS version 1.4.3 is available for download. This version contains bugfixes and security fixes. Vulnerability found on previous playSMS considered severe and it is recommended to upgrade previous playSMS installation with version 1.4.3 as soon as possible.

Please visit this playSMS Forum post for more information.

UPDATE

Technical advisory about certain security vulnerability of playSMS related to this release has been published by Lucas Rosevear of NCC Group:

[SECURITY] playSMS 1.0-beta1

Releases, Security

This version fix the CSRF exploit reported here:
http://www.exploit-db.com/exploits/30177/

Along with the fix there are also several bug fixes and enhancements.

Download playSMS version 1.0-beta1 here:
https://github.com/antonraharja/playSMS/releases/tag/1.0-beta1

Here are the complete change log for 1.0-beta1:

  • MAJOR: add core_call_hook(), utilizing debug_backtrace() to replace the way functions call hooking plugin’s functions
  • MAJOR: user_incoming and all_incoming now only shows SMS with matched keyword, or handled SMS
  • MAJOR: fix #155 SECURITY HOLE, CSRF exploit
  • remove default timezone and language from database, tblUser
  • add an option to allow/disallow regular user access to sms_command
  • add dlr-storage=internal and mo-recode=true, and a few other changes in contrib/kannel/kannel.conf
  • add ta=SX webservices handler for retrieving sandbox messages
  • add DB DSN options
  • add new language Russian ru_RU (dvoryanchikov)
  • update catalan language ca_ES (aseques)
  • update inluded php-db to version 1.7.14
  • update to try to limit browser zoom, viewer should not be able to zoom/scale
  • use sendsms() and remove sendsms_bc() while sending SMS, the goal was to remove duplicated entries when user send to group and numbers that actually already included in group
  • fix #100 1 contact in multiple group, also major changes on the backend
  • fix #119 missing phonebook edit
  • fix #127 queuelog entries should be removable
  • fix #128 add webservices method ta=set_token to update webservices token
  • fix #129 remove smsc=default, kannel gateway, users might miss this when debugging
  • fix #137 add new admin menu, sandbox, since now all incoming sms and user incoming sms only shown handled SMS
  • fix #146 security fix: prevent use of special characters such as ; or / (dvoryanchikov)
  • fix #147 fixes in localization (dvoryanchikov)
  • fix #148 fix duplication of search results at send_sms page (dvoryanchikov)
  • fix #151 email field length in user_pref too short, and possibly in other places as well

Discuss this here.

playSMS version 0.9.7.2 has been released (SECURITY FIX)

Releases, Security

This version contains only a fix to a security bug in inc/app/webservices.php. Users installing playSMS 0.9.7 or 0.9.7.1 are encouraged to upgrade their installation as soon as possible. playSMS version prior to 0.9.7 are not affected.

A quick workaround to fix the bug is by removing inc/app/webservices.php immediately. See this for detail.

You may get playSMS 0.9.7.2 from our download page.