Security Update 0.7.20 released
Secunia Research contacted us a few days ago about two potential security issues.
Secunia Research contacted us a few days ago about two potential security issues. We have been working to reproduce and fix the issues, while they have held off making them public.
While I won't go into too much detail, I will say that one involves being able to upload a malicious file. It requires an odd set of preferences and a missing file to allow it to happen though, so the threat is pretty low in our opinion.
The other was a js code injection. The user was able to inject some js code that would run if an admin edited the users post. This was only open if the site had the 'personal content manager' option enabled in the content plugin.
Both have now been fixed...thanks again to Secunia for pointing them out to us.
Of course, the release also includes all other bug fixes that have been committed since the last release.
Link to downloads here: http://e107.org/edownload.php
Changes found here in the changelog