Xerte vulnerabilities – fixes available in v3.15.5 and v3.14.6

The Xerte development team have recently liaised with a separate security researcher who reported a vulnerability and potential exploit when the setup code used for new Xerte installations has been left in place. They will make public disclosure of this in due course.

Background:
Part of the guidance since the very first release of Xerte Online Toolkits many years ago has been to remove the setup folder after initial installation and also following upgrades, which means this vulnerability should not exist in public facing installations. However we haven’t until these new updates (see versions below) triggered automatic removal of the setup folder. We have also fixed and removed the potential for exploit in these new releases for even if the setup folder were to be left in place or not able to be removed by the upgrade script.

Immediate actions for whoever looks after your installation:
Step 1 Important: Ensure that your public facing installations do not include the \setup\ folder e.g. manually delete it.
Note: this does not apply to the other folders with setup in the folder name only the \setup\ folder used for initial installation.

Step 2 Optional: you could also upgrade to Xerte 3.15.5 or Xerte 3.14.6 and run upgrade.php which will update the version of your install and confirm automatic removal of the setup folder. If removal fails for any reason (e.g. permissions), the upgrade will still include the fixed setup code protecting from the potential exploit.

Please post any questions regarding this email in the Bugs and Issues section on the community forum.