Fork me on GitHub

Sunday, October 18, 2020

Blog / News / Security Update: Please help testing

Security Update: Please help testing

Hi guys,

it’s been silent here for quite a while. But this doesn’t mean there’s nothing happening:

The security issue

You may or may not have seen the security issue #64 filed by lethanhtrung222. It addresses an issue that allows an attacker to delete any uploaded file on your blog just by making you click on a link like this:

  • https://YOURBLOG.ORG/admin.php?p=uploader&action=mediamanager&deletefile=THEFILE.XYZ

This link could be sent to you via email, it works if you are already logged into your admin area.

The described cross-site request forgery (CSRF) also applies to deleting entries and enabling/disabling plugins.

The fix

Although this is not highly critical, I decided to create a bugfix release that solves this issue. Now, on every logon, a unique token is created. The token is added to the affected links in the admin area, e.g. the “Delete” link in the entries listing. Since this token is freshly created on every logon, an attacker does not know it and can’t attach it to the attacking link. Without the correct token, FlatPress will just not execute the desired action.

The testing

Before releasing the new version finally, I reach out to you: Please help me testing the new version thoroughly and report any bugs that you encounter.

Everything should work exactly as in version 1.1 “Da capo”. The only difference is the new “csrftoken” parameter in the links of the admin area actions described above.

Fiddle around with it: Copy the link URL, change the “csrftoken” parameter and see what happens :)

Get the new version here:

Please do not test on your productive FlatPress instances, this is still beta.

The new version

If everything works as expected in our tests, I will release the new FlatPress version 1.1.1 very soon.

Thanks for your help - and have a great start into the upcoming new week!
Arvid

Saturday, December 28, 2019

Blog / News / Archive of previous support forum is now available

Archive of previous support forum is now available

The previous support forum gathered the FlatPress knowledge of more than a decade. So many helpful comments, clever hacks and useful suggestions! Sadly, due to technical difficulties, it wasn’t available since the new support forum went online - this was one year ago.

But fear not! Finally, this mighty source of wisdom is online again:

Login is not possible, everything is just read-only. The wisdom may remain untouched and enlighten us with every visit :)

Friday, September 20, 2019

Blog / News / Project interna / Support forum: Registration bug fixed

Support forum: Registration bug fixed

2019-09-20_rustylock.jpg

Image: “Wood shed door” by bobu - licensed under CC BY-SA 2.0

After I updated phpBB in our support forum last week, the forum registration was broken. The problem persisted until I fixed it today.

Thanks to Rick who reported this! :)

If you encountered problems registering to the forum lately, please try again now.

All the best
Arvid

Tuesday, August 6, 2019

Blog / News / Project interna / Current project status

Current project status

Hi everyone,

here’s a little update on the current status of the FlatPress project.

FlatPress itself

Version 1.1 “Da capo” runs stable and doesn’t seem to have major bugs. (See the open issues on GitHub.) Thus, we can concentrate on overhauling language packs and plugins.
Also, there may be some SEO improvements to the default theme Leggero soon.

Support forum

Our new support forum got populated quite nicely. I am very happy to receive your feedback and suggestions on FlatPress! Also, there a lot of experienced users out there trying to answer incoming questions. Thank you all for supporting each other in this friendly and productive manner!

In order to prevent bot registrations, I changed the behaviour of the registration page. Please let me know if you experience problems registering.

Regarding the old support forum I have good news and bad news: Although I got the forum itself running again, I am still searching for the “everything is read-only” switch. (Vanilla experience, anyone?)
I’m still working on it - it would be great to have back this huge pool of FlatPress know-how.

Public relations

The German-speaking, Twitter-using FlatPressers may have noticed: FlatPress is now listed at Heise Download, one of the biggest German software portals. You are very welcome to rate FlatPress there.
If you know more of such software sites (in any language), please let them know about FlatPress! We still need to make FlatPress more visible to the world.

In retrospect …

In my first blog posting here on flatpress.org, I described my plan to stabilize the software and to revive the community. Although not as quick as I hoped, this seems to have worked quite well.
Thank you all for supporting me in any way!
Let us keep working together to maintain and evolve a great little blogging engine - that may not fit any need, but ours perfectly :)

Thursday, February 14, 2019

Blog / News / Announcements / New FlatPress website, forum, and wiki

New FlatPress website, forum, and wiki

Allright folks, after a few days getting everything running, here’s what we’ve got.

New forum!

Since the old one was broken, I started a completely new forum. Use it to ask your questions, meet other FlatPressers, introduce your plugins and themes, or show off the blog sites you created with FlatPress.
The most important thing for new FlatPress users is to find friendly help and support. Give them a warm welcome and answer their questions patiently - today’s newbies will be tomorrow’s pros.

New wiki!

The old wiki contained a lot of helpful information, but was also full of bot-registered spam users. I opened a new wiki and transferred just the contents (but not the users). So please re-register yourself and help us to update and complete the wiki contents.

New website!

Our project website got a renovation of its look and contents. Also, all flatpress.org content (including forum and wiki) is now served SSL-protected.

And as a little extra for our German-speaking users: Official German website!

New release?

Please be patient a few more days. My plan is to publish the new FlatPress release 1.1 still in february - let’s see if this works out!
When the new release is out, my next efforts will be to publicize it to CMS compare sites, download archives et cetera.

Feel free to get the latest development snapshot from GitHub and test it thoroughly. There will be only a few changes until 1.1 is complete.
Thank you very much for all the bug reports, suggestions, issues and pull requests I already received!

Thanks

A special “Thank you!” goes out to our friends at UD Media, who really like what we do here. UD Media generously supports the FlatPress project by hosting us, making our project revival possible.