Vulnerabilities in ResourceSpace 9.5 and 9.6 < 18229 - UPGRADE NOW

[Dan Huby]

Hi all,

Please see:

https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/

It's critical you upgrade your ResourceSpace system now if you haven't already. The latest version, 9.7, contains all current patches so it's best to upgrade to that, and regularly "svn update".

We're often approached by people running old versions of ResourceSpace which is alarming. We have found vulnerabilities prior to 9.5 also but have always patched them quickly - so it's essential as with any software that you keep it up to date.

For version 10 due out early next year we're moving all database queries to  prepared statements which will prevent a recurrence of the type of issue found above.

Dan

 

[Wilson]

Hi,

How to upgrade 6.1 to 9.7?  Thanks!

[Dan Huby]

Please see:

https://www.resourcespace.com/knowledge-base/systemadmin/upgrading

> --
> ResourceSpace: Open Source Digital Asset Management
> http://www.resourcespace.com <http://www.resourcespace.com>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ResourceSpace" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe
> <https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to
> resourcespac...@googlegroups.com
> <mailto:resourcespac...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/resourcespace/95bcb061-dbd6-425f-bf6c-7c5205ab97f6n%40googlegroups.com
> <https://groups.google.com/d/msgid/resourcespace/95bcb061-dbd6-425f-bf6c-7c5205ab97f6n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Wilson]

It doesn't work.

It shows: svn: E155007: "/www/html" is not work copy

[Dan Huby]

If you didn't originally use Subversion, you need to follow the second
section on that page "Converting a downloaded installation to a
Subversion working copy".

If you're doing that directly on your production system I'd strongly
advise against that - do it on a test system first in case there's an issue.

> <https://groups.google.com/d/msgid/resourcespace/95bcb061-dbd6-425f-bf6c-7c5205ab97f6n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/resourcespace/95bcb061-dbd6-425f-bf6c-7c5205ab97f6n%40googlegroups.com?utm_medium=email&utm_source=footer>>.

>
>
> --
> ResourceSpace: Open Source Digital Asset Management
> http://www.resourcespace.com <http://www.resourcespace.com>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ResourceSpace" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe
> <https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to
> resourcespac...@googlegroups.com
> <mailto:resourcespac...@googlegroups.com>.
> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com
> <https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Wilson]

My old version 6.1 doesn't have svn.  Do you mean convert my old version to svn? I tried and updated as code 'svn update {path}'. 

It shows: upgrading '.': version 18683.

But the web browser still display as the old version.

I am doing this on another new server.

Thanks!

[Mike Perry]

You need to fist convert your 6.1 version to a working svn version following the directions in the section " Converting a downloaded installation to a Subversion working copy" Dan provided. Update and Convert are two different svn procedures. . .

[Wilson]

I did by ' svn co --force https://svn.resourcespace.com/svn/rs/releases/9.7 {path}'. and ' svn update {path}'.

But most files are still old including login.php and index.php. It only downloaded some new folders.

Thanks!

[Mike Perry]

What are the names of the new folders?

Did you back up the old 6.1 Installation (files and db)? You may want to restore that installation, copy it to a backup installation (with a separate db instance), make the  and attempt the svn upgrade of that one as a trial.

You should tread carefully in endeavors such as this!! 😀

[Wilson]

The old verstion is runing on my production server. I am doing these on another new server. I copied all files and db to the new server.

I guess the folders should be overwrote. The folders are pages, plugins, templates, tests, upgrade, lib, languages, include, gfx, documentation, dbstruct, css, batch, api.

But the login.php and index.php are still old.

[Wilson]

resourcespace/include/db.php line 353: The each() function is deprecated. This message will be suppressed on further calls

[Mike Perry]

"I am doing these on another new server. I copied all files and db to the new server."

Was the copy of the original installation working okay prior to the svn upgrade?

SVN will keep certain legacy installation files during an update -- I"m not sure if login.php and index.php are included in that process for an upgrade.

Just a thought -- what happens if you do a clean svn install (if it's still available and will install cleanly on your current PHP version) of 6.1, make sure it's operational (set all config.php settings appropriately) and then do the svn update? A cumbersome process, but might be less challenging than doing an svn upgrade from 6.1. . .

[Dan Huby]

Just to get a "clean" install, I'd do the following

- Get a fresh 9.7 system running on your new server using Subversion
to check that out.

- Copy across the database, config.php and entire contents of
/filestore but none of the other files.

That should be all. Config.php must completely replace (not be appended
to) the one on the new system otherwise you'll get issues with things
like filestore_evenspread where the new install config has set some
different defaults on the new system.

This is how we migrate customers using old versions (or any versions,
really) to our hosted servers.

A blatant promotion but if you do get stuck we'd be happy to host it for
you - see pricing below, or alternatively if you want to keep it where
it is we can upgrade it for you (choose "On Premise" at the top).
https://www.resourcespace.com/pricing

Dan

> https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com
> <https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com>
>
> >
> <https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/resourcespace/3fb26fa8-44b3-4aa6-ac1c-9ce01ea7bd4fn%40googlegroups.com?utm_medium=email&utm_source=footer>>.

>
>
> --
> ResourceSpace: Open Source Digital Asset Management
> http://www.resourcespace.com <http://www.resourcespace.com>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ResourceSpace" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe
> <https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe>.
> To unsubscribe from this group and all its topics, send an email to
> resourcespac...@googlegroups.com
> <mailto:resourcespac...@googlegroups.com>.
> To view this discussion on the web, visit

> https://groups.google.com/d/msgid/resourcespace/e247cd58-5309-473e-b222-a29c20abb5f5n%40googlegroups.com
> <https://groups.google.com/d/msgid/resourcespace/e247cd58-5309-473e-b222-a29c20abb5f5n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Mike Perry]

Hey Dan -- quick question.

When migrating to a new fresh installation does config.php undergo any significant changes, or is it okay to just copy over the entire existing version to the new installation? Obviously easier than replacing individual statements!!

Thanks,

Mike

[Wilson]

All right. I will try to fresh install the 9.7 and copy the database, config.php and filestore folder to the new server. Thank you very much!

[Wilson]

Yes, I just converted the old version to svn.  The 6.1 doesn't have svn version.  Thanks a lot for your helps!

[Wilson]

After restored db & config.php & filestore folder, the web browser shows ' Sorry, an error has occurred. Please go back and try something else.'

[reidb...@gmail.com]

Set the config options (both true) below to output a verbose error that may be helpful:

$show_error_messages=true;

$show_detailed_errors=true;

[Wilson]

{resourcespace/include/general_functions.php line 1860: mkdir(): Permission denied}

[Dan Huby]

Reset permissions on all files in /filestore. They may be incorrect after the copy.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/resourcespace/CYXkINdNye0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to resourcespac...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/resourcespace/767bac74-8568-4b04-941e-1d5d4a90c661n%40googlegroups.com.

[Wilson]

It upgraded successfully. But after I login, it still shows some error below.

/resourcespace/pages/home.php line 212: Undefined offset: 0

[Wilson]

All media file can show the image but cannot find the real file. "  No compatible source was found for this media. "

[Athar Jatoi]

I have tried posting a new conversation, but apparently, it's not getting approved, so it's not showing up.

I did a fresh installation of 9.7 and when I upload the image I get the below error, how do I fix the error.

Failed to upload IMG_6616.jpg 

 tus: unexpected response while uploading chunk, originated from request (method: POST, url: https://YYY.YYYYYY.com/pages/upload_batch.php/files/d8d6dfe5-564c-45c3-a07d-7e3f3050d003, response code: 403, response text: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access this resource.</p>

<p>Additionally, a 403 Forbidden

error was encountered while trying to use an ErrorDocument to handle the request.</p>

</body></html>

, request id: n/a)

[Wilson]

Now, '  No compatible source was found for this media. ' resloved. But the media file cannot download.

It still shows: resourcespace/pages/home.php line 212: Undefined offset: 0

[Wilson]

Why I cannot see the embed button?