jonnyporter - 4 months ago

We look after a number of websites that are still running PyroCMS v2. We think there are some security vulnerabilities with them. Some are 2.2.5 which I believe are the latest on the 2 branch, and one or two others are slightly older. I am led to believe that the codeigniter that was included with Pyro 2 had known vulnerabilities. So just looking to get them secure preferably without loads of work. What would be the best course of action.. To patch them up to date as far as possible on 2 branch and try and fix the codeigniter problems, maybe doing this ourselves if there is no patch. Port them onto PyroCMS 3 - if so what is the process for this, is there any guidance docs, or is it basically a full replatforming job?

Any advice or links to further help gratefully received. Jonathan

ikoniqoz - 3 months ago

Hi Jonathan I have given some thought to upgrading Pyro 2.2.5 sites to CI 3.0.6 from BCIT. As far as I can tell there is not much work involved in doing this. Main thing is the Controllers etc that need to be changed and there are only a couple I have found by going over them in the /cms directory. However, there are a bunch that need to be edited in the Installer. PyroCMS 2.2.5 is still a worthy CMS for brochure-ware type sites. If your sites have custom modules they would need checking as well. There are some of us here that still do 2.2.5 because it is quick and easy and pretty well bulletproof. Check out: https://codeigniter.com/user_guide/installation/downloads.html for the downloads . Also check the upgrade notes here: https://codeigniter.com/user_guide/installation/upgrading.html

jonnyporter - 2 months ago

Thanks for your input @ikoniqoz What was the reason for upgrading only to codeigniter 3.0.6 - was that when the known vulnerabilities were resolved? Is there a reason why we can't upgrade further, even to the latest version of codeigniter from BCIT? Obviously the code would have to be checked for further changes necessary. Thanks again Jonathan

ikoniqoz - 2 months ago

PyroCMS 2.2.5 includes the an early pre-beta version of CI 3.0 from before it was acquired by BCIT. What are the "known vulnerabilities" you referred to ? I feel that there is still good value in PyroCMS 2.2.5 for my client base and the types of projects I typically work on as I am strictly a front-end guy. Nevertheless, I am still working through the upgrade from the beta CI 3.0 to CI 3.0.6. - It will take a while but I feel that it is a worthwhile endeavour.