http://coldfusion.com logo
Docs
Join the conversationJoin Slack
Channels
adobe
advent-of-code
auwcl
aws
books
bot-dev
box-products
cfeclipse
cfkrauts
cflint
cfml-beginners
cfml-general
cfml-tuning
cfsummit2022
cfwheels
ci
community_courses
css
devops-general
docker
docker-commandbox
documentation
events
friday-puzzle
fusion-reactor
fw1
ide
java-and-jvm
javascript
jobs
jobs-non-us
linen-dev
lucee
masacms
meta
migrations
mura
music
nosql
object-oriented
orm
perf-monitor
prog-general
slack-help
sql
taffy
testing
version-control
vuejs
water-cooler
Powered by Linen
mura
  • j

    jamiejackson

    03/30/2022, 5:46 PM
    Hi folks, has anybody else noticed a big decrease in responsiveness from Mura support lately?
    s
    g
    +3
    19 replies · 6 participants
  • m

    miguel-f

    03/31/2022, 3:20 PM
    Anyone having issues 'reloading' Mura today? Using CF 2018, Java 11.0.14 and today running into an issue with
    moment.cfc
    . This is Mura 10 (the paid version). More in thread...
    a
    5 replies · 2 participants
  • g

    guustnieuwenhuis

    05/19/2022, 8:27 AM
    Last night (eu time) we’ve release a security fix for #masacms, the vulnerability also exists in Mura 6.1, 7.0 and 7.1. We don’t know what the status is for Mura X. If you are running Mura 6.1 or later, please have a look at the the changes in Masa CMS 7.3.4 and apply these manually on your Mura instance. Or migrate to Masa CMS, let me know if you’ll need help with that.
  • s

    sknowlton

    05/27/2022, 4:27 PM
    (apologies for the crosspost but probably should've put this here) We have an install of Mura that is about 3 years old and which as been running in Docker that whole time. It was on Mura 7.3.1 and Lucee 5.3.6. I'd been putting off and putting off doing anything with it because it 'just worked' but it really needed to be running current versions both of Lucee and Mura or Masa. We rebuilt the docker images with our updated Lucee base images and then by cloning the Masa repo instead of the Mura repo and dropped it in our Docker swarm. It 'just worked' - all sites running, admin logins, everything. Smoothest update we've had for anything in a while! Thanks guys!
    👍 2
  • j

    jamiejackson

    09/09/2022, 4:51 PM
    has anybody integrated gatsby with mura to generate static pages from mura? i did find this by @ronnieduke, so i'm guessing they have made it happen.
    e
    1 reply · 2 participants
  • s

    satauros

    10/10/2022, 9:50 AM
    Is there anybody available here to answer a question regarding an older version of Mura?
    e
    4 replies · 2 participants
  • b

    Brian Reilly

    12/08/2022, 2:53 PM
    Mura CMS < 10.0.580 is vulnerable to a recently-discovered authentication bypass vulnerability (cf. a similar issue in Masa CMS -- https://cfml.slack.com/archives/C02EB3Y57SR/p1670358749665149) Posting this here for general awareness. Organizations running older Mura CMS versions will want to determine their best upgrade/patch strategies for this one.
    👍 1
  • j

    Jason Wilson

    02/02/2023, 4:14 PM
    Can I access Mura cfc handlers via ajax url? If so, what would that url be?
  • s

    satauros

    02/05/2023, 1:21 PM
    Can I leverage the JavaLoader present in Mura (6) for loading additional jars without restarting the server / application?
    e
    1 reply · 2 participants
  • b

    Brian Reilly

    03/06/2023, 1:35 PM
    I released the full advisory on the Mura CMS / Masa CMS authentication bypass vulnerability (CVE-2022-47003 / CVE-2022-47002) today - https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html. In addition to technical details about the vulnerability, I also share some thoughts on quick fixes for sites running older, unsupported open source Mura CMS that can't immediately migrate to Masa CMS.
    👍🏻 1
    👍 1
    j
    2 replies · 2 participants
Powered by Linen
Title
b

Brian Reilly

03/06/2023, 1:35 PM
I released the full advisory on the Mura CMS / Masa CMS authentication bypass vulnerability (CVE-2022-47003 / CVE-2022-47002) today - https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html. In addition to technical details about the vulnerability, I also share some thoughts on quick fixes for sites running older, unsupported open source Mura CMS that can't immediately migrate to Masa CMS.
👍🏻 1
👍 1
j

jas

03/10/2023, 5:57 PM
Just catching up on this - thanks for the detailed analysis. I threw Cloudflare in front of a few Mura sites floating around in my life that don’t change often but it looks like it’s time to revisit Masa.
b

Brian Reilly

03/10/2023, 7:22 PM
You're welcome - glad it was helpful. If you're running Lucee, you should be able to use Cloudflare to block requests that have an empty "userhash" cookie. But for Adobe ColdFusion, the length of a malformed "userhash" cookie could vary. And I don't think the Cloudflare request transform rules would let you (easily) remove the "userhash" cookie altogether, since it's co-mingled with other cookie names/values in the Cookie: header. But if you're running older Mura instances and can test, the "quick" patch may be the quickest remediation.
View count: 2