Joe Rosa ::   Blog | Network | | Aggregator | Profile | Page

• View all Friends

#392: Comment wall allows spam in

Setting commentwall to "private" or "logged in users only" still allows spam to get in.

mod/commentwall/do_action.php mod/commentwall/lib.php::commentwall_addcomment()

all ignore permissions. Can you give me a pointer on how to get hold of permissions for a plugin and I'll fix it?

#391: XSS in File Upload

A user can upload an HTML file containing JavaScript. When another user downloads the file, the script is run as if the script comes from the same domain, an XSS vulnerability.

Patch included simply sets content disposition to attachment for all files that are not images instead of just files with application/octet-stream MIME types, as done in Elgg 1.0.

#390: Prevent uploading files with dot prefix (e.g.: .htaccess)

By default, elgg 0.9.x ships data directory within root directory accessbile by web, mailicious users can upload a .htaccess file and disable rewrite engine in his files (data/files/u/username/)

#389: TAGs lost when admin edits others blogs

When the administrator edits others Blogs the TAGs are not retrieved as it uses sessionid, but a simple identification of the $page_owner tells display_input_field to use that as the $page_owner.

Patch attached

#388: User can manipulate populartags -

In 'populartags' code selects TAGs using the 'ident' field that is a sequential code generated each time we 'add' or 'edit' a Blog post. However editing an old blog post it generates a new 'ident' without changing its position in the cue for the MySql? query that uses the record ID, and consequently brings it that TAG to the latest blogs.

This allows an user to manipulate the TAG cloud pointing to his/her personal blogs. (We had that case - people are creative)

Changing the field 'ident' to 'ref' and using the clause MAX() in the MySQL query as well as the constraint tagtype='weblog' made an effective solution.

Patch attached