playSMS version 1.4.3 is available for download. This version contains bugfixes and security fixes. Vulnerability found on previous playSMS considered severe and it is recommended to upgrade previous playSMS installation with version 1.4.3 as soon as possible.
Please visit this playSMS Forum post for more information.
Technical advisory about certain security vulnerability of playSMS related to this release has been published by Lucas Rosevear of NCC Group:
This version fix the CSRF exploit reported here:
Along with the fix there are also several bug fixes and enhancements.
Download playSMS version 1.0-beta1 here:
Here are the complete change log for 1.0-beta1:
- MAJOR: add core_call_hook(), utilizing debug_backtrace() to replace the way functions call hooking plugin’s functions
- MAJOR: user_incoming and all_incoming now only shows SMS with matched keyword, or handled SMS
- MAJOR: fix #155 SECURITY HOLE, CSRF exploit
- remove default timezone and language from database, tblUser
- add an option to allow/disallow regular user access to sms_command
- add dlr-storage=internal and mo-recode=true, and a few other changes in contrib/kannel/kannel.conf
- add ta=SX webservices handler for retrieving sandbox messages
- add DB DSN options
- add new language Russian ru_RU (dvoryanchikov)
- update catalan language ca_ES (aseques)
- update inluded php-db to version 1.7.14
- update to try to limit browser zoom, viewer should not be able to zoom/scale
- use sendsms() and remove sendsms_bc() while sending SMS, the goal was to remove duplicated entries when user send to group and numbers that actually already included in group
- fix #100 1 contact in multiple group, also major changes on the backend
- fix #119 missing phonebook edit
- fix #127 queuelog entries should be removable
- fix #128 add webservices method ta=set_token to update webservices token
- fix #129 remove smsc=default, kannel gateway, users might miss this when debugging
- fix #137 add new admin menu, sandbox, since now all incoming sms and user incoming sms only shown handled SMS
- fix #146 security fix: prevent use of special characters such as ; or / (dvoryanchikov)
- fix #147 fixes in localization (dvoryanchikov)
- fix #148 fix duplication of search results at send_sms page (dvoryanchikov)
- fix #151 email field length in user_pref too short, and possibly in other places as well
Discuss this here.
This version contains only a fix to a security bug in inc/app/webservices.php. Users installing playSMS 0.9.7 or 0.9.7.1 are encouraged to upgrade their installation as soon as possible. playSMS version prior to 0.9.7 are not affected.
A quick workaround to fix the bug is by removing inc/app/webservices.php immediately. See this for detail.
You may get playSMS 0.9.7.2 from our download page.