Errors in theme | security issues


#1

Hi,

I tried Pulse for the first time today. I like the concept and the simplicity of it, but it doesn’t seem very mature. I tried a free template (PortSmith) and it’s not displaying images on the homepage and giving errors in the blog page. It looks like an older theme that hasn’t been updated to the latest version of Pulse, or it just contains bugs.

Trying to change some text doesn’t seem to work either. File permission issue on the server maybe?

Also, I tried the contact form and it didn’t seem to send any messages. Looking in the source code, I noticed that to use SMTP authentication, you need to edit a Pulse file (which will be overwritten with a new version, right?).
Also, the use of an outdated version of phpMailer is a huge security risk. I suggest updating this immediately.

I hope you will fix this soon, since everyone using Pulse at the moment is at risk: https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

For a free of hobby project, I understand all these issues. But for a paid product, it’s a little disappointing.


#2

Thanks @dvcm - it might help with Portsmith if you posted a link?

But it should all work fine:
https://www.pulsecms.com/store/themes/portsmith/

If you run /admin/install.php you can see if you have permission problems in setup.

SMTP can be easily switched on:
https://www.pulsecms.com/blog-59-smtp-support-in-pulse-contact-forms
With settings panel coming in v5.

The security risk posed by that is not huge and an update is going in the next update.

Since you’re new to the party I would have been more cautious before judgement. Plus since we’ve emailed already - but nevermind! :sunglasses:


#3

Thanks for answering. Can’t post a link, since I’m trying it out.

It doesn’t work fine (and permissions are all correct):
Warning: mktime() expects parameter 4 to be long, string given in /inc/tags/blog.php on line 111

A settings panel for SMTP is indeed the way to go (or put it in the config file). The way it is now is just a simple hack that gets overwritten by a new version.

The security risk IS huge! I suggest you read up on the CVE’s and check exploit-db.com. There are already exploits out in the wild and not upgrading is just plain dumb.
Your attitude towards security is exactly why I am not cautious before judgement. You are knowingly risking the compromise of other Pulse users, who might not be that security-aware.

I really hope Pulse 5 will be better (and working on 5 doesn’t mean you shouldn’t at least give security upgrades to 4). Not going to spend money before these trivial things are fixed.


#4

Thanks @dvcm

Appreciate your concerns but you’re a little hot under the collar. I suggest you take a step back and breathe.

We take security VERY seriously and are of course working on a patch to fix this. We’re not knowingly risking anyone’s site and that’s an unfair comment. There’s nothing to suggest we wouldn’t fix this. Why wouldn’t we?

A positive “hey this is broken? Did you see it? Please fix it!” --> would have been enough :wink:

One of the strengths of Pulse is it’s security. Coming from a WordPress world of fixing site after site from exploitation we want a CMS were we don’t have to do that anymore. Which is what Pulse is and it’s aligned with our core values.

Pulse 4 is already awesome. A solid CMS deployed on 1,000s of sites. We use it regularly for client work also. Pulse 5 will be a big step forward and build on what is already there and make it even better.

If you were paying attention, Pulse 4.6.2 came out in December (Pulse 4.6.2 is here today with deeper blog migration and more fixes) - so we are still working on it - so of course it will keep being loved. Pulse 4.7 is around the corner with this security fix and a few other updates.

I think you mis-judge creating software. There’s nothing trivial about it and not paying for Pulse tells me all I need to know about you I’m afraid :sleepy:

I’m closing this thread as having this conversation with you is meaningless as we know what we have to do and want to make Pulse the best CMS available for freelancers and designers. Pulse 4 is on the way there and we’re getting closer every day - so let us get back to work.

You’re free to stick around and buy it or go back to another system. Choice is yours but as you’ve not invested anything in Pulse except a little poking, I’d suggest a different tone next time :heart:

Thanks :+1:


Lets fix PulseCMS
closed #5

#6

All fixed :slight_smile: here:
https://forum.pulsecms.com/t/pulse-4-7-is-here-and-the-best-version-of-pulse-yet/499/2