===================================================================== CERT-Renater Note d'Information No. 2013/VULN282 _____________________________________________________________________ DATE : 02/07/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running AjaXplorer Core versions prior to 5.0.1. ====================================================================== http://ajaxplorer.info/ajaxplorer-5-0-1/ ______________________________________________________________________ AjaXplorer Core 5.0.1 available This is a bugfix and security release from v5.0.0. Update is automatic using the in-app upgrade mechanism, and is highly recommended, as this release fixes three potential vulnerabilities. There are also a couple of new improvements: When using the HTML5 uploader, closing the window will carry on the upload in the background, and display a bottom indication of current upload. When using drag’n'drop, you can now point to an existing application folder to upload directly inside this folder. With this same uploader, Google Chrome on Windows and Linux now supports folders upload and drag’n'drop upload! Unfortunately not yet available on MacOS, as UTF-8 characters get messed up. Important fixes on Jumploader that was broken in v5.0.0 as soon as it partionned file Better handling of SQL errors when misconfiguring the application See detailed changelog below for other fixes. Summary License : Affero GPL Copyright : Charles du Jeu 2013 Version number : 5.0.1 Please see 5.0.0 release note if you are not already familiar with this version! Download Core : ajaxplorer-core-5.0.1.zip or ajaxplorer-core-5.0.1.tar.gz Linux packages are available in the ‘stable’ channel. Upgrade : upgrade is automatic from 5.0.0 Demo : https://demo.ajaxplorer.info/ Contributor(s) : thomasCresson, Destroyer, Letreguilly, adrianbj, chusopr Requirement : php5.3 and upper Detailed changeLog Update README.md Test RHN optional channel activation Clear cache and touch first_run_passed at upgrade for linux packages Report spec to tpl Fix POST script Fix usage, use build_channel not channel Fix RHN optional channel registration Fix #169: File transfers via WebDAV are not logged. antivirus plugin Delete File Update test.PHPOS.php Fix double parenthesis problem Fix #175 Update manifest.xml Update class.scan.php Update class.fsAccessDriver.php update plugin Update manifest.xml Pass an optional ContextNode to filenameExits method Define hooks automatically attached to AjxpDroppables for drag’n'drop support Fix #194, Fix the multiple copy upload problems by preventing re-opening the uploader. Refix background dropHover Fix #178 by removing autocompleter options from action.share and let them only in core.conf (autocompleter is a generic widget) The unload action may create a problem on reload in FF (user is logged out). Disable it for Gecko browsers. Fix #171 Full replug of the bookmarks for the Settings panel. Fix #187 Fix settings bookmarks Backward compatibiliy for « Bookmarks » tabs: a standard workspace only has 2 tabs, Folders & Bookmarks, using legacy bookmarks loading, whereas index.lucene is redifining this template part to provide the 3rd tab, and use search for feeding the results pane. Call escapeshellarg where missing Move node.change hook from fsAccessDriver to uploader’s postProcessors. It’s now the responsibility of the uploader to trigger the events. Comment the header content-encoding: none from AJXP_ShutdownScheduler to avoid encoding error (was breaking Jumploader). Czech translation update Revert « Czech translation update » Czech translation update > Fix protoMenu clicking on Workspaces & User widget buttons, annoying menu disappearing > redesign backgroundManager panel index.lucene: fix disappearing background manager. Fix information string displayed. Add set_time_limit instruction in the recursive indexation to avoid error if possible Czech translation update #2 Fix metadata line for FF & IE Rework splash / login form, still w-i-p Fix French message Rework splash + login screen Fix #168 Fix #186 – impossible to compress the files into an archive when using a smb repository -> verify if there is a scheme with parse_url and add an extra slash (to get an url like « scheme:// » instead of « scheme:/ ») – problem with the files’ name when creating an archive using smb (two first characters are suppressed) -> clean the extra slash from the real_path Better SQL error when you modify your SQL connection by an empty one. Create a backup file to fix the problem if it happens. New error message. Fix isAjxpAdmin() for multiAuthDriver Set antivirus plugin disabled by default for the moment Fix « webftp » case of auth.ftp driver Support folder upload in chrome Wrong compile, probably a linefeed problem Use backgroundPanel to display upload status, if the user closes the upload dialog. Nice! Do not ask for background upload, make it a hidden feature for now on Fix login display if no welcome message Default welcome message in installer New try on splash screen Unfortunately, the drag’n'drop + FileAPI + UTF-8 characters is not working on Mac OS X .. Disabled folders drag’n'drop, only working on Windows yet. Clean and refactor for naming convention the Antivirus contribution. Still to be more deeply tested. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================