===================================================================== CERT-Renater Note d'Information No. 2010/VULN139 _____________________________________________________________________ DATE : 20/04/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running e107 versions prior to 0.7.20. ====================================================================== http://e107.org/comment.php?comment.news.864 ______________________________________________________________________ Security Update 0.7.20 released Secunia Research contacted us a few days ago about two potential security issues. We have been working to reproduce and fix the issues, while they have held off making them public. While I won't go into too much detail, I will say that one involves being able to upload a malicious file. It requires an odd set of preferences and a missing file to allow it to happen though, so the threat is pretty low in our opinion. The other was a js code injection. The user was able to inject some js code that would run if an admin edited the users post. This was only open if the site had the 'personal content manager' option enabled in the content plugin. Both have now been fixed...thanks again to Secunia for pointing them out to us. Of course, the release also includes all other bug fixes that have been committed since the last release. Link to downloads here: http://e107.org/edownload.php Changes found here in the changelog ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================