Textpattern CMS 4.4.1 released

A new version of Textpattern CMS has been released. Version 4.4.1 takes care of a security vulnerability that was present in previous versions so upgrading is highly recommended.

From the announcement:

All versions prior to TXP 4.4.1 were open to CSRF attacks; pronounced sea-surf. While it’s out of scope in this article to discuss what makes up such an attack, it generally works by tricking a logged-in user into clicking something (e.g. an <img> tag which isn’t an actual image). This link secretly accesses something on the admin side using the current logged-in user’s credentials and performs some action — submits an article, deletes something, whatever. If the user in question is an admin, the potential for damage is high.

To combat this, we now use unique tokens passed in each admin-side form and AJAX request to ensure that the request originated on the admin side from the correct form. Any jiggery pokery results in failure for the attacker and a typically TXPish message.

This release also introduces a new security privilege image.create.trusted which prohibits untrusted users from uploading SWF images to the Images tab.

The full announcement is here: http://textpattern.com/weblog/359/textpattern-cms-441-released-security-upgrade