10.0.35 released. Read the full article for more information, and upgrade information.

Announcing the Community Site Showcase, where you can show off your sites to others and upvote/downvote (Reddit-style).

Anatomy of a bogus vulnerability that is circulating.

Composr now requires PHP 5.3+ (but really you should be on PHP 7.3+).

10.0.34 released. Read the full article for more information, and upgrade information.

There are a number of nasty bugs in 10.0.33, hot fixes are linked inside this issue.

Important message regarding Composr compatibility with PHP 8.

10.0.33 released. Read the full article for more information, and upgrade information.

10.1 beta23 released. Read the full article for more information, and upgrade information.

10.0.32 released. Read the full article for more information, and upgrade information.

10.0.31 released. Read the full article for more information, and upgrade information.

10.1 beta22 released. Read the full article for more information, and upgrade information.

10.0.30 released. Read the full article for more information, and upgrade information.

10.1 beta21 released. Read the full article for more information, and upgrade information.

10.0.29 released. Read the full article for more information, and upgrade information.

There is a vulnerability in Composr's storage of uploads as .dat files on servers. A hacker could plant code with JavaScript, then trick an administrator to running it on their machine.

This is a low-to-medium risk vulnerability. With planning, creativity, and coordination, this could result in a hacker attaining various malicious outcomes. JavaScript code does not have access to files on a user's own computer, but it can be used to automate privileged web page actions on the website it is running on.

Composr uses SVG for rendering out stats graphs. When stats are viewed in the Admin Zone, Composr will generate the .xml files onto disk, and then embed those files. However, the URLs to the files are predictable and not access-protected.

This is a low risk vulnerability. While illicit access to stats graphs is not acceptable, there are no wider known repercussions and similar data may be available via third-party tools anyway (such as Alexa).

Hackers may directly access the URLs to various on-disk files due to lack of protection for IIS users that is built in for Apache users.
Such files include the raw source code of pages, raw templates, and raw language files.

This is a low-to-medium risk vulnerability. The majority of users are not hiding privileged content with guessable page names in Comcode pages, but for those that are, this is a concern. Access to raw templates and language files would rarely be a concern.

10.0.28 released. Read the full article for more information, and upgrade information.

A number of development practices have been overhauled around how development work is messaged. This is to improve communication to Composr users and also within the development team.

Composr development has moved from GitHub to GitLab.