Updating textpattern speed dating act
Initially completely in hand-coded HTML (to get it looking right without distracting myself hacking around in a CMS template styling system), it was time to choose a CMS to allow a certain amount of user updating to be done on the site.
I first experienced the Textpattern CMS through my participation in the Joyent Mixed Grill “Venture Capitalist” life-time subscription.
That means installs are vulnerable to this kind of attack by default.
Installation is pretty simple, quite lightweight; doesn’t require much in the way of configuration if you have a bog standard *AMP setup, just create or associate the database you wish to use (you can use a ‘_txp’ style suffix to append onto your existing DB) and create the .htaccess requested – it’s all explained on the linked instruction page.After quite a while and lots of work from many, many people it’s finally here. Because half of those can be used from the public side, updating is strongly recommended.The introductory prices are for the first term of service only and automatically renew at the regular rate.Textpattern does not make use of stored procedures and prepared statements due to the age of its codebase; instead, it uses string concatenation combined with manual escaping.There were several places in the code where , the username of the currently logged in user, was not properly escaped. There were several locations in the code where actions were taken in the application based on requests should be idempotent to prevent unintended submissions that alter the application.