Funnelback patch 15.14.0.20

  • Released: 2018-11-05

  • Applies to: v15.14.0

  • Internal reference: FUN-12114, FUN-12116

Description

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

Affected files

  • web/templates/modernui/form-not-found.default.ftl

  • conf/global.cfg.default

Deployment

  • (Windows) Stop currently running crawls.

  • Stop the Jetty web server and the Funnelback daemon.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • Start the Jetty web server and the Funnelback daemon.

  • (15.14.0.14) The conf/<collection>/custom_gather.groovy of each Facebook collection that are failing to update due to Facebook API changes should be updated to have the content provided in share/custom_collection_templates/custom_gather.groovy.facebook. The customer will need to provide a never-expiring page access token to replace the app access token. Instructions on getting a never-expiring page access token can be found in the Funnelback Community Knowledgebase.

  • (Windows) Start crawls as needed