Today we are announcing the latest in the stream of releases for CMSMS 1.x. Version 1.12 - Pohnpei. This release can be called a 'security and stability' release where we primarily made changes related to security, but also attempted to resolve or improve a number of outstanding issues.
The biggest changes in this release are related to security. First, we now require, and enforce that register_globals (a PHP setting that has long been considered insecure, and is removed from newer versions of PHP, see: http://php.net/manual/en/security.globals.php) be completely disabled in your CMSMS install. Secondly, we have removed the {eval} statements from the factory default News summary and detail templates. This will prevent content submitted by un-verified users from doing nasty things with smarty. And thirdly (though not last) we made some changes in our smarty config to improve security.
Along with the security fixes we have improved the homepage functionality in the CMSMS admin console, fixed some lingering minor issues, and generally improved the stability of your favourite content management system.
Because this is a security release, we do encourage everybody to upgrade their CMSMS websites as soon as possible. As of now, per our support policy the only two officially supported versions of CMSMS are 1.11.13 and 1.12.
For all users using the "fesubmit" action of the News module: We highly encourage you to remove the {eval} statements from your News summary and detail templates. i.e: if the current template contains something like: {eval var=$entry->content} merely replace it with {$entry->content}.
From this point forward we will be de-emphasizing development on the 1.x series of CMSMS, and focussing on development of the soon to be released CMSMS 2.0. CMSMS 1.x development will be restricted to fixing important security issues and absolutely critical stability issues. As we have previously stated, We will continue to support the 1.x series of CMSMS for one year (365 days) after the release of CMSMS 2.0.
Have fun, and enjoy your favourite web content management system.
The CMSMS Dev team.