Thread tagged as: Addons

Important security update: patches for MarkItUp

We've been seeing an increasing number of attacks against a security vulnerability in our MarkItUp editor plugin for Perch and Perch Runway.

If your site is up to date then you don't need to worry - this was something we fixed in 2.8.15. If your site is older then you need to update. We emailed all customers about this on 25th.

With this being the first security issue in 6.5 years, we know many of you are out of the habit of keeping sites up to date. That's understandable - it's not something you normally need to worry about with Perch. So to make it easy to fix your installation, we've produced a patch for every version of Perch 2 and one for Perch 1 as well. You just need to download the correct file and upload it to the right place on your server.

Drew McLellan

Drew McLellan 2638 points

  • 5 years ago

Hi Drew,

Cheers for all the patches, this will be super helpful.

I understand the whole php-vs-phtml-renaming-to-txt thing and how the payload works - what I don't understand is how a non-logged-in user is able to upload files, even inert files, to the resources folder in the first place? Are there details on this?

Drew McLellan

Drew McLellan 2638 points
Perch Support

Yes, that's the bug. The upload script used the public API rather than the authenticated API. Uploads should only be accepted from logged in users.

It's a bug that unfortunately has existed in Perch for many years, despite multiple penetration tests and security audits by some very serious global technology companies. It's obviously regrettable, that it slipped through, and that the backup checks (renaming dangerous files) were then also imperfect.

Ah I see. Thanks Drew :)

Wow Drew, you have been working hard to get things patched up... A huge thank you for taking such swift action.

It's sad to think someone would find such joy in causing trouble.

Perch Rocks

Thanks for the updates Drew

Just scoping out the work I now need to do.

So if we don't use Markitup as an editor in our templates... and it's not on the server, we are OK?

Or is markitup also used 'out of sight' by default for e.g. image or file uploads?

Thanks for addressing this so quickly Drew.

I have a client still on 1.6.5 (…yes, I know…). Will the 1.8.4 patch be ok for this?

Drew McLellan

Drew McLellan 2638 points
Perch Support

I really don't know about 1.6.5.

I'd also like to add my thanks for producing a full range of options for fixing this. If this is the first security fix you've had to issue in over 6 years, I think that's a fantastic achievement! In fact, the absolute pain of having to update Joomla after every security exploit was one of the main reasons I searched for an alternative CMS - and I'm delighted with Perch. Having the specific target file updated for every version of Perch made updating all my clients' sites pretty easy. Thanks again.

+1 thank you for making this as easy to patch as you possibly could. I needed to patch 20 websites and it only took around an hour.

If my client's website uses ckeditor and not markitup do I need to install the patch?

Rachel Andrew

Rachel Andrew 394 points
Perch Support

Yes, you still need to replace the MarkItUp editor.

Simon Clay

Simon Clay 127 points

Hi, I've just logged into a client's site and checked it's version, it's 2.8.13. I am quite certain that I applied the Markitup patch. But I want to be sure. Is there a way to tell from diagnostics if Markitup is secure and up-to-date?