Important Komento 2.0.5 Security Fix

  Mark Komento

Important Komento 2.0.5 Security Fix

We have just released Komento 2.0.5 to address a security issue where a remote attacker may be able to launch an xss attack in prior versions of Komento.

 

 

If you are using any versions prior to 2.0.5, please update to the latest version as soon as you can. If you need any assistance with updating to the latest version, please get in touch with us on the forums and we'll assist you with the update =)

 

 

Download Latest Version (2.0.5)


16 Comments | Add yours
  • Supporter

    about 11 months ago

    This Fix has the same version number as the previous release.
    The admin panel displays: You are using the latest version of Komento 2.0.5
    Update is not possible from the admin panel of Komento.
    The downloaded launcher is also version 2.0.5.
    Is the launcher already updated?
    Will you change version # of keep it 2.0.5 ?

  • Shiyi

    In reply to: Supporter about 11 months ago

    Hey Supporter,

    Actually this updates was released on 28th September 2015. Because not many people take notice of it, Mark wrote this blog.

    If you updated after 28th Sept and before 12th Oct, then you are having the latest version. Sorry for the confusion.

    Comment last edited on about 11 months ago by Shiyi
  • Supporter

    In reply to: Shiyi about 11 months ago

    Thank you Shiyi

  • Mark

    about 11 months ago

    Hey supporter,

    Just to iterate my colleague's reply above, if you are already on 2.0.5, you are already on the latest release :) This message is for users who are still using Komento prior to 2.0.5.

  • Supporter

    about 11 months ago

    Hey Mark,

    Thank you.
    "We have just released Komento 2.0.5" grabbed my attention...

  • Mark

    In reply to: Supporter about 11 months ago

    The post was actually written on the next day after we released Komento 2.0.5 but we forgot to hit the "publish" button and it's my fault :(

  • Timothy Phillips

    about 11 months ago

    Based on what I am reading, Stackideas has known of this vulnerability for an undetermined amount of time, created a fix, and released this fix on September 28th, 2015. Between September 28th and today (October 12, 2015) Stackideas has made no effort to communicate a known security vulnerability to subscribers, but rather believes the burden of due diligence is on the customer to check back each and every day to see if a security patch has been released, without any knowledge of any vulnerabilities in StackIdeas product(s).

    The software industry at large, has already established precedence on how responsible software development companies manage security vulnerabilities in their products, and how communication to clients should happen. Software development companies who care about security, have set their customers interests as a priority, and proactively sent security alerts by e-mail to their client’s point of contact / subscribers, they don’t sit idly by as StackIdeas has in this case. In contrast, you have told the world including hackers about the vulnerability, at the same time as your customers, leaving your customers open and vulnerable until they get patched. What about those on vacation, celebrating a holiday like Canada’s Thanks Giving Day or US Columbus Day, who are not in the office reading business oriented e-mails and available to react to the news on your blog. Let me help you, these people’s companies will for at least one more day, be left open and vulnerable before they can begin testing your update file. On the flip side, hackers don’t need to test your patch, they can simply start going to work to identify potentially vulnerable hosts and then do what hackers do.

    StackIdeas’ negligent actions has resulted in you knowingly leaving your customers vulnerable for 14 day (2 weeks). In the legal world this is called gross negligence, something you should probably get educated on.

    While I understand sometimes software gets written and vulnerabilities are identified later on based on the release of new hacking techniques, this situation particularly does raise a serious question on whether or not StackIdeas invests any effort at all, in proactively attempting to identify vulnerabilities in new versions of its software. Specifically, it is unclear based on the lack of any communication offering assurance that StackIdeas proactively does security sources code analysis or vulnerability testing prior to release, common activities performed by today’s responsible software development companies. In this day and age with the high volume of hacking going on, Joomla! developers like StackIdeas and others need to migrate to a responsible and customer oriented mindset.

    Comment last edited on about 11 months ago by Timothy Phillips
  • Mark

    In reply to: Timothy Phillips about 11 months ago

    Hey Timothy,

    Firstly, thanks for your constructive criticism here and I appreciate and needed this very much. This post was actually written almost the same day as we released Komento 2.0.5 but it was my fault for not publishing it yet as I thought it has already been published until the guys at JED contacted me over the weekend stating that we haven't published about this yet.

    I sincerely apologize for this and I will ensure that this will never happen again.

  • Guest - stein

    about 11 months ago

    Does this affect Komento 1.5x? I have it's installed in my Joomla 2.5x and it says that "You are using the latest version of Komento 1.5.xxx"

  • Mark

    about 11 months ago

    Yes, any version prior to 2.0.5. Please update to the latest version as soon as you can.

  • Sophie Hadgraft

    about 11 months ago

    Hi Mark,

    I'm using 1.8.3 at the moment. I've just downloaded and installed 2.0.5 and have received this message:
    Important! If you are upgrading from Komento 1.0, you will have to go to the Configuration Page and perform a database update for Komento 2.0 to work properly.

    Do I still need to do this upgrading from 1.8.3 rather than 1.0? Also is the new Komento compatible with EasyBlog 3.9 because I haven't been able to update this as yet?

    Please can you also confirm whether all of my config will be picked up in the new version? Looks like it has at first glance but just want to double check that I don't need to run through all the settings!

    Thanks :)

  • Mark

    about 11 months ago

    Hey Sophie,

    Sorry, missed your post here. You can actually just ignore that message if you are upgrading from 1.8.x :) Yes, the latest Komento is still compatible with EasyBlog 3.9.x but I would recommend that you update to EasyBlog 5 :p

    Yes, all your settings would retain as it is.

  • Sophie Hadgraft

    about 11 months ago

    Hi Mark,

    No problem! I ran the database cleanup anyway and it was fine so good news all round. Thanks for your confirmation on the other bits, and yes our aim is to update to Easyblog 5 very soon!

    Thanks, Sophie

    Comment last edited on about 11 months ago by Sophie Hadgraft
  • Mark

    about 11 months ago

    Thanks for updating Sophie :) Yep, go ahead with EasyBlog 5, it's pretty stable right now, just some minor teething issues which we are still fixing :p

  • user23

    about 11 months ago

    Good :)

    Comment last edited on about 11 months ago by user23
  • Guest - Lilly

    about 5 months ago

    Hey mark! As you said, I have updated it. Thanks to Komento

0