A small vulnerability has been reported to the ImpressCMS Security Team (security@impresscms.org) in the userranks administration of ImpressCMS 1.0.2 and the developers have prepared an updated release to address it, even though administrator access is required to exploit the vulnerability.

The updated release is available for download from our SourcForge repository we recommend you apply this to your 1.0.x sites at your earliest opportunity.

The specific vulnerability is the rank_title field, which did not properly sanitize the input. You can test the exploit by saving a user rank with the title


(Spaces have been added to allow the display of the code)

With this release, all fields are now properly sanitized and the vulnerability has been removed. We believe security is very important and appreciate all reports of potential vulnerabilities. If you think you've found something and would like us to look into it then please report it to member of our community. ImpressCMS 1.0.x is only being maintained for security releases and is the last version that fully supports PHP4. All further development is being done in the 1.1 branch and requires PHP5. If you have not done so already, we recommend moving your site to PHP5.