Security: Security Release: XOOPS 2.0.12a

Posted by: Mithrandiron 2005/6/28 14:10:00 27970 reads Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.

Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.

We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.

Upgrade instructions:
1. Download patch
2. Extract patch
3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)
4. Update System Module
5. That's it

Changes since 2.0.10:

2005/06/29: Version 2.0.12a
- Fixed bug in comments, where editing a comment would post a new one
- Removed PHP parsing in Saxparser's handleProcessingInstruction() method (Thanks to GIJOE)
- Fixed parse error in modules/newbb/post.php

2005/06/28: Version 2.0.12
- Fixed sanitation bug in include/comment_form.php and include/comment_post.php (Mithrandir/James@Gulftech)
- Fixed sanitation bug in class/xml/rpc/xmlrpcapi.php and class/criteria.php (Mithrandir/James@Gulftech/XOOPS JP)
- Changed admin.php to fetch news from via Snoopy (Mithrandir/XOOPS JP)
- Fixed possible XSS hole in redirect_header (Mithrandir/XOOPS JP)
- Security fixes in pda.php and misc.php (Mithrandir/XOOPS JP)
- Fixed typos in kernel/object.php (Mithrandir/brandycoke)

2005/06/24: Version 2.0.11
- Fixed bug where lostpass.php would not accept emails and send new password (Ackbarr)
- Fixed bug where search result links would be wrong if the item was in another module than the searched one (Ackbarr)
- Fixed bug in groups admin where it was impossible to add users to a group if the site had 200+ users (Ackbarr)
- Fixed bug with uploading smilies (Ackbarr)

XOOPS 2.0.12 Stable
.zip | tarball

XOOPS 2.0.10 to 2.0.12 patch
.zip | tarball

XOOPS 2.0.12 to 2.0.12a patch
Kindly provided by LazyBadger