{"id":1056,"date":"2017-01-27T11:30:46","date_gmt":"2017-01-27T08:30:46","guid":{"rendered":"http:\/\/www.phpsugar.com\/blog\/?p=1056"},"modified":"2017-10-03T12:33:22","modified_gmt":"2017-10-03T09:33:22","slug":"php-melody-v2-7-1-critical-vulnerability-patched","status":"publish","type":"post","link":"https:\/\/www.phpsugar.com\/blog\/2017\/01\/php-melody-v2-7-1-critical-vulnerability-patched\/","title":{"rendered":"PHP Melody v2.7.1"},"content":{"rendered":"<p>This week we received news of a critical vulnerabilities in PHP Melody. Issues include: SQL\/code injection, PHPMailer vulnerability (see\u00a0<a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2017-5223\">CVE-2017-5223<\/a>) and a <a href=\"https:\/\/www.logicista.com\/2017\/phpmelody-multiple-vulnerabilities\" target=\"_blank\">couple more<\/a>.<\/p>\n<p>To date, PHP Melody has been actively used on more than 29,000 separate websites in the past 9 years. Thankfully, we received no reports of sites being hacked via exploitable code in our video CMS. We&#8217;ve always patched vulnerabilities swiftly. In the past 9 years there have been only 4-5 occasions that promoted such releases.<!--more-->These recent findings are serious and should be given utmost importance. <strong>We urge everyone to upgrade<\/strong> their PHP Melody websites to v2.7.1 today. <strong>If for some reason you cannot update<\/strong> to v2.7.1, you can still patch your website(s) by following <a href=\"http:\/\/help.phpmelody.com\/php-melody-critical-vulnerability-fix-jan-2017\/\" target=\"_blank\">this guide<\/a>.<\/p>\n<p>As a precautionary action, we&#8217;ve patched all recent releases since November 2015 (i.e. v2.5 and newer). So, if you&#8217;re updating from PHP Melody v2.5 to v2.6 your site will already be secure against these vulnerabilities. All things considered, we still recommend updating all the way to v2.7.1.<\/p>\n<p>Today&#8217;s release includes:<\/p>\n<ul>\n<li>Critical vulnerability patched.\n<ul>\n<li>SQL injection patched.<\/li>\n<li>PHPMailer update.<\/li>\n<li>Mime type check and proper chmod for uploads to prevent execution.<\/li>\n<li>Removed instances where the full path is readable.<\/li>\n<\/ul>\n<\/li>\n<li>Improvements for servers with MySQL running in strict mode.<\/li>\n<li>Improvements to the Russian translation.<\/li>\n<li>Updated the Facebook video source.<\/li>\n<li>Fixed emoji helper window.<\/li>\n<li>Fixed G+ sharing widget.<\/li>\n<li>Extended auto-reporting for YouTube videos.<\/li>\n<\/ul>\n<hr \/>\n<p>Today&#8217;s update is available for download in your <a href=\"https:\/\/www.phpsugar.com\/customer\/\">customer account<\/a>, under the &#8216;<em>Download Updates<\/em>&#8216; page.<\/p>\n<p>If you have any questions or need our assistance, <a href=\"http:\/\/www.phpsugar.com\/support.html\">contact our support team<\/a>. As always, we&#8217;re here to help you.<\/p>\n<p>Credit for discovering these vulnerabilities go to <a href=\"https:\/\/www.logicista.com\/\">Mr. Harry Roberts<\/a>. Thank you.<\/p>\n<p>Have a great weekend and stay safe!<\/p>\n<p><strong>Useful links<\/strong>:<\/p>\n<hr \/>\n<p><a class=\"btn btn-warning btn-flat\" href=\"https:\/\/www.phpsugar.com\/customer\/\">Download v2.7.1 Update<\/a> <a class=\"btn btn-success btn-flat\" href=\"http:\/\/www.phpsugar.com\/phpmelody_order.html\">Buy PHP Melody v2.7.1<\/a> <a class=\"btn btn-info btn-flat\" href=\"http:\/\/www.phpsugar.com\/order.php?id=echo\">Get the Echo theme<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This week we received news of a critical vulnerabilities in PHP Melody. Issues include: SQL\/code injection, PHPMailer vulnerability (see\u00a0CVE-2017-5223) and a couple more. To date, PHP Melody has been actively used on more than 29,000 separate websites in the past 9 years. Thankfully, we received no reports of sites being hacked via exploitable code in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,18],"tags":[39,123,20,89,24,124],"class_list":["post-1056","post","type-post","status-publish","format-standard","hentry","category-announcement","category-news","tag-important","tag-package","tag-php-melody","tag-update","tag-video-cms","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/posts\/1056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/comments?post=1056"}],"version-history":[{"count":11,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/posts\/1056\/revisions"}],"predecessor-version":[{"id":1072,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/posts\/1056\/revisions\/1072"}],"wp:attachment":[{"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/media?parent=1056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/categories?post=1056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phpsugar.com\/blog\/wp-json\/wp\/v2\/tags?post=1056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}