New post from Full-disclosure mailing list about CI 1.5.3 vulnerabilities |
[eluser]Jumper[/eluser]
Below is a copy of a new entry in "full-disclosure" mailing list (security mailing list) Section 3 below looks pretty bad. Especially because there is no fix even in the SVN.. Quote:CodeIgniter 1.5.3 vulnerabilities
[eluser]Bruno França[/eluser]
CodeIgniter 1.5.3 vulnerabilities Take a look at: http://www.securityfocus.com/archive/1/473190
[eluser]Paul Burdick[/eluser]
Oy. Derek Jones and Derek Allard were preparing a release for you guys and this guy could not even wait. Simply had to get his credit on numerous board and lists. Not only that but Secunia picked this up and has, as usual, more than half of its information wrong making our job that much harder. And there is a total solution in SVN for 3) and it has been in there for a few weeks now.
[eluser]Jim OHalloran[/eluser]
Is there any word on when a new release which includes those fixes will be ready? Now that the vulnerabilies are public I'm fairly keen to update my apps. Jim.
[eluser]Derek Allard[/eluser]
Hi Jim. You can update at any time from the subversion repository if you want. I know that's not for everyone though, and we're be releasing a new CI version shortly. Give us just a bit more time. In the meantime, if you want to be sure, don't enable query strings (not very typical anyhow) and grab the new input library. Obviously the new build will have more then that, but that will give you immediate help.
[eluser]Jim OHalloran[/eluser]
Thanks Derek, I don't have query strings enabled, and I'll grab the new input library in the interim. I know you guys have some changes planned for the next release so I'd rather hold of til it's ready and documented rather than just dive in with the code from subversion. Jim.
[eluser]Derek Allard[/eluser]
Yup, I get it The new input is 100% fully workable with the rest of the CI files, so just grab that one library for now.
[eluser]Myles Wakeham[/eluser]
I don't know if this is old news or not, but I stumbled across this today: http://lists.grok.org.uk/pipermail/full-...64500.html Myles
[eluser]sissy[/eluser]
thanks for the heads up... hope it gets sorted real soon.
[eluser]david_ais[/eluser]
Can you confirm - does v1.5.4 fully address these vulnerabilities? Regards David Bell |
Welcome Guest, Not a member yet? Register Sign In |