playSMS version 1.4.3 contains bugfixes and security fixes. Lucas Rosevear of NCC Group reported the security vulnerability and suggested a way to fix it.
I consider the vulnerability as severe and I recommend everyone to upgrade playSMS installation as soon as possible.
playSMS version 1.4.3 is available for download here: https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.3/playsms-1.4.3.tar.gz/download
SECURITY FIXES
- sanitize inputs from malicious string
- sanitize last posts from unwanted chars
- update playsms/tpl package
- increase generated password length
- increase generated password complexity
BUGFIXES
- fix #593 split() to preg_split() ref: https://github.com/antonraharja/playSMS/issues/593#issue-524852905
- fix #579 too many scheduled SMS stops queue from working, ref: Can not send SMS when more than 11 SMS in queue
- fix jasmin callback to handle DELIVRD
- fix twilio wrong datatype for field status, ref: When sending SMS using Twilio, credits do not change
- fix cannot change language, ref: [solved] Can't change language in user configuration
- fix sms poll graph PlaySMS Poll Graph Showing Missing Image by updating pChart lib to https://github.com/bozhinov/pChart2.0-for-PHP7
- fix incorrect sms length for unicodes, ref: [Solved] Incorrect sms count in unicode
- fix tblBilling not saved properly due to null on $rate
- remove gateway plugin telerivet, orange, bulksms, routesms, clickatell (move them to their own package at https://github.com/playsms/)
- remove prevent duplicate option ref: [solved] A bug in the "Send from file"
anton