A vulnerability in concrete5 which permitted authenticated users to view the contents of arbitrary messages was reported on February 11, 2019. No information identifying individuals was exposed. A fix was added to the concrete5 repository on Monday, February 15, 2019 and mitigated on the concrete5.org website on Wednesday, February 20, 2019.
All concrete5 sites should update to versions 8.4.5 or 220.127.116.11. The concrete5.org website has been upgraded and messages are no longer vulnerable, and no evidence was found that suggests this vulnerability was exploited on the website.
On Monday, February 11, 2019 at 02:00 PST, Mlocati submitted a patch to the core 8.4 branch that fixed an issue where logged in users could see one another’s messages by changing ID numbers in a URL. It does not grant access editing data or the dashboard, it does not expose any user attributes, it does not allow replying to messages or content creation of any type. It can, however, expose the content of messages that are intended to be private, and that represents a potentially large security issue for some sites. We are treating it as a high-priority, high-risk incident.
On Tuesday, February 19, 2019 at 09:39 PST, A3020 submitted a security report pointing out that this vulnerability was exploitable on concrete5.org.
On Wednesday, February 20, 2019 at 11:02 PST, we informed A3020 that concrete5.org had been patched to keep this from happening on concrete5.org. This introduced a new bug keeping replies to messages from working which was fixed on February 22, 2019.
On Friday, February 22, 2019, we decided this vulnerability should be patched in legacy concrete5, as it is still 6 months until official end of life is complete for version 5.6 and below.
Over the weekend (February 23 – 24, 2019), 8.4.5 and 18.104.22.168 were finalized by core team and community members.
On Monday, February 25, 2019 support clients of PortlandLabs were notified of the vulnerability, the fix, and our assessment of the impact to their systems.
We reviewed log records at concrete5.org to see if traffic patterns indicated this vulnerability had been systematically exploited in any way. Based on analysis of our logs there DOES NOT appear to be evidence of any systematic exploitation
This vulnerability does not impact any systems where we store PII (including credit card information) by design. This only impacts content that might have put in messages through the My Account > In-box area.
We strongly encourage you to not send sensitive information to individuals through messages on concrete5.org. Passwords and logins to production environments should not be shared through websites at all, and certainly not left in messages on concrete5.org.
As of Tuesday February 26, 2019 we have added a bulk delete feature to concrete5.org’s messages area. This feature will delete all copies of messages sent to or from you. If you know sensitive information has been sent to or from your account in the past, please take a moment to hit this button and clean up this old data. Even if you don’t think there’s sensitive information in there, please delete your old messages, we’re not promising these will stay around forever.
If you are using concrete5 to power an online community and you are enabling the user account in-box as part of that, you should immediately upgrade to version 8.4.5.
If you are using legacy version 5.6- to run a community site that involves in-box use, you should upgrade to 22.214.171.124. You should also be close to launching your 8.4.5 based replacement at this point, as your software is very old.
Thank you to everyone who brought this to our attention and contributed to the efforts to safely resolve it. In particular A3020, Mlocati, and Remo. Making digital communication easy and good for everyone is our goal, and security is always a very serious concern.