security issues

[Rodney]

Are the xss and other security issues that were posted in this forum taken care of in the latest svn version of pligg?

Some kind of announcement should be posted to let folks know what's going on with it.

[jitgos]

8.1.0 included many fixes and 8.1.5 will most likely be released in a few days to address the other issues. I believe every specific security issue that has been posted on the forums was fixed within minutes and included in the svn.

Jitgos

[Rodney]

Quote:

I believe every specific security issue that has been posted on the forums was fixed within minutes and included in the svn.

There was one post made yesterday that outlined some new issues, but that post was removed (which I guess prompted you to post the correct guidelines for reporting security issues). Those were the issues I was most curious about.

They probably shouldn't have been posted to the open forum, but now that they are "out there", I just wanted to make sure there was already a security patch. People should be notified and encouraged to upgrade as well to protect their pligg sites when stuff like that is found and patched.

[kbeeveer46]

Rodney, that's why 8.1.0 was released. Because there were a lot of holes patched and we felt that they were big enough holes that they warranted a quick release. We've never had this many people tesing Pligg at one time and they're finding things that have never been reported before.

[Rodney]

Quote:

Rodney, that's why 8.1.0 was released. Because there were a lot of holes patched and we felt that they were big enough holes that they warranted a quick release

8.1.0 was released on 10/8 but the forum post with the security issues was posted on 10/9 AFTER the 8.1.0 release. It said that the most current version of pligg had vulnerabilities.

The whole post was removed, but I think it clearly stated the problems were in the 8.1.0 version of pligg.

[kbeeveer46]

Yeah, that's why Jit mentioned maybe even another release with the fixes you mentioned.

[jitgos]

Just to confirm. As soon as those were issues were brought up within minutes they were fixed in the svn. We havent released antoher update yet b/c we want to make sure we have fixed all similar issues we can find and then release an official update within a day or two.

Pligg was tested by a lot of people before being released but as KB said the digg article has brought in soooo many people using pligg that other things have come up.

Jitgos


Jitgos

[savant]

do you mean these:

xss:
http://www.pligg.com/forum/showthrea...light=security

xss and sql injection
http://www.pligg.com/forum/showthrea...light=security

both have been fixed.

[xknown]

Quote:

Originally Posted by savant

do you mean these:

xss:
http://www.pligg.com/forum/showthrea...light=security

xss and sql injection
http://www.pligg.com/forum/showthrea...light=security

both have been fixed.

No, I've posted other vulnerabilities. IMHO, I think there are more, that's why I said you should do a general code review.

BTW, some problems were fixed incorrectly (ej. applying strip_tags instead of intval)

[savant]

i will try and look for them in the forum.

xknown thanks again for the security updates.