Pro v2.2 with security improvements and fixes is available

Posted on 14 March, 2015

Category:

Pro-Version Releases
Attention: this is not the changelog for the latest stable version 4.28 (see related release notes)

Maps Marker Pro v2.2 focuses on security by fixing one medium-critical security vulnerability and by providing security improvements to the update process amongst other improvements.

An update to the latest version is – as always – highly recommended. Please read below for more details.


Let me know what you think about this new release by submitting a review or leaving a comment below!

If you want to keep up to date with the latest Maps Marker development, please follow @MapsMarker on twitter (= most current updates), on FacebookGoogle+ or subscribe to news via RSS or via RSS/email.

I would also like to invite you to join our affiliate program which offers commissions up to 50%. If you are interested in becoming a reseller, please visit https://www.mapsmarker.com/reseller


Now let´s get to the highlights of pro v2.2:

Map Icons Collection now hosted on mapicons.mapsmarker.com

The Map Icons Collection is a set of more than 700 free icons to use as placemarks for your POI (Point of Interests) locations on your maps. The project was originally created by Nicolas Mollet and thanks to many contributors it has become a central ressource for free map icons on the internet over the years:

mapicons-screenshot

Maps Marker Pro has also been configured to work out of the box with those icons (you can even use the integrated upload feature to easily enhance the default icon set shipped with Maps Marker Pro).

Unfortunately the Map Icons Collection suffered many server issues lately. In the end the former hosting provider decided to block the website as they considered the usage was against their hosting policy (more details here).

In order to help Nicolas and to deliver a more reliable hosting for all users of the Map Icons Collections (including Maps Marker Pro users), I agreed with him to host the project website on https://mapicons.mapsmarker.com (thx to my hosting provider twosteps.net for quickly helping out here!)

The project rules and usage conditions of the Map Icons Collection will not be changed through this hoster change: Nicolas will continue to lead the project and icons are still available under the Creative Commons 3.0 BY-SA license.

mobile version of mapsmarker.com launched

As Google will begin ranking mobile-friendly sites higher starting April 21, we prepared a new mobile-friendly version of www.mapsmarker.com. If you access our site with your mobile device, you should from now be automatically redirected, example screenshot:

mapsmarker-mobile-website

In order not to run into any issues with the payment process, some pages like pricing, store or customer area are initially excluded from the mobile version of the framework.

If you run into any issues on your mobile device, please let us know!

support for plugin updates via encrypted and authenticated https connection

With Maps Marker Pro v1.6 I already tried to introduce plugin updates via https – unfortunately I was not aware of the issues I would run into as there are a significant number of servers out there which do not support https properly – with a result that updates could not be loaded at all. This was why I switched back to http for updates – until now 🙂

Starting with the next release, Maps Marker Pro plugin updates will be fetched from mapsmarker.com via encrypted https connections. This helps ensure the integrity of the package and the authenticity of the sender, making the overall update process more secure and trustworthy.

For customers with outdated https configs on their servers I added a fallback to deliver update packages via http. Anyway if you see that the next update after v2.2 is loaded via http only, I would advise talking to your hoster and asking to verify respectively update your servers security configuration.

show warning message in dynamic changelog if server uses outdated and potentially insecure PHP version (<5.4)

Many servers hosting WordPress still use old PHP versions (which is not directly an issue for Maps Marker Pro as the minimum requirement is PHP 5.2), but as the support for PHP 5.3 was discontinued recently, still using a version below 5.4 is potentially insecure for your whole site and an update to 5.4 (or better even higher) is highly recommended.

To address this issue, a new project called wpupdatephp.com by Coen Jacobs was started, with the aim to make end users aware of this issue.

To support this project, Maps Marker Pro now displays a warning message in the dynamic changelog section if you are using a PHP version below 5.4 with details on how to upgrade respectively what to tell your hoster, if you are not managing your server by yourself:

outdated-php2

fix for admin-authenticated SQL injection vulnerability

Within the codebase of a widely used SEO plugin a vulnerability was discovered recently which allowed authenticated SQL injections. We used that info to check our code for vulnerabilities of the same type. As a result we found and fixed a medium critical vulnerability that only allowed admin-authenticated SQL injection (in contrast to the SEO plugin where author, editor or admin roles were affected).

The one sentence explanation for the not so technical user: a logged-in admin user could save a special command in the recent marker widget which could change the database. This vulnerability does not allow mass hacking of installs as it requires access to an admin account.

Although hackers (respectively crackers) having access to a compromised admin account will most likely use more direct and easier ways to change the database or even files (which was not possible with the vulnerability now fixed), this vulnerability was considered as a serious issue and working on a fix was started immediately after it was discovered.

Why we didn’t catch it? Well…unfortunately this issue was not caught in one of our external security audits and our regular internal reviews did not catch it either. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It did not in that special case, as the SQL query for the recent marker widget needed stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers too and for the future.

Other changes and optimizations

  • improved sanitising of GeoJSON, GeoRSS, KML, Wikitude API input parameters

Bugfixes

  • PHP undefined index warnings when adding new recent marker widget

Translations updates

Thanks to many motivated contributors, this release includes updates to the following translations:

If you want to contribute to translations (new Hindi translators would be appreciated!), please visit https://translate.mapsmarker.com/projects/lmm for more information.

Please note that translators are also compensated for their contribution – for example if a translation is finished less than 50%, the translator receives a free 25 licenses pack worth €149 as a compensation for completing the translation to 100%.

Outlook – plans for the next releases

Please understand that I am not being able to promise any release dates for new features. The roadmap for major new features gives you an idea where Maps Marker Pro is heading – anyway I just would want to keep the flexibility to add optimizations and bugfixes with rather unplanned minor releases resulting mostly from users feedback.

Please subscribe to this blog (via RSS or Email) or follow @MapsMarker on twitter (= most current updates) if you want to stay up to date with the latest development news.

Full changelog

Map Icons Collection now hosted on mapicons.mapsmarker.com
mobile version of mapsmarker.com launched
support for plugin updates via encrypted and authenticated https connection (with fallback to http if server uses outdated libraries)
show warning message in dynamic changelog if server uses outdated and potentially insecure PHP version (<5.4) – supporting wpupdatephp.com
improved sanitising of GeoJSON, GeoRSS, KML, Wikitude API input parameters
admin-authenticated SQL injection vulnerability
PHP undefined index warnings when adding new recent marker widget
Translation updates
In case you want to help with translations, please visit the web-based translation plattform
updated Czech translation thanks to Viktor Kleiner and Vlad Kuzba, http://kuzbici.eu
updated German translation

show previous changelogs

How to download / update

The easiest way to update is to use the WordPress update process: login with an user who has admin privileges, navigate to Dashboard / Updates, select plugins to update and press the button “Update Plugins”. The pro plugin checks every 12 hours if a new version is available. You can also manually trigger the update check by going to Plugins and clicking on the link “Manually check for updates” next to “Maps Marker Pro”:

manual-update-check

If you do not see the link “Check for updates” and are using a version below 1.7, please update manually once by downloading the current package from https://www.mapsmarker.com/download-pro and overwritting the existing plugin files on your server via FTP. This might be needed on several hosts, which use outdated SSL libraries, which prevent Maps Marker Pro from making a secure connection to retrieve the update package from mapsmarker.com. Pro v1.7 includes a workaround for those kind of servers and the following updates should work again as usual. If you are affected and need help, please open a support ticket.

How to verify the integrity of the plugin package

SHA-256 hash value:

FC67620FEC5C021035CF72C662A6B2202790B14167483331AC7BDE2B6A300A7F

Click here for a tutorial on how to verify the integrity of the plugin package (recommended if the plugin package for a new installation was not downloaded from https://www.mapsmarker.com – verification is not needed though if the automatic update process is used)

Additional update notes for beta tester

No additional action on plugin update required.