CakePHP 2.3.5 has just been released to fix a critical issue with how the webroot property in CakeRequest is handled that could potentially lead to XSS attacks on certain pages. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade.
A huge thanks to Florian Krämer for conducting a full security audit on the CakePHP code and Carl Sutton for report and providing a candidate patch. In addition to the security fix 2.3.4 contains fixes for the following issues: - Increasing compatibility with old CentOS servers and the way they handle PHP regular expressions - Preventing pagiation limit from overflowing the max integer value - Making sure form ids generated in FormHelper::postLink() are actually unique - Fixed a bug in TextHelper auto link utility We recommend all users of 2.x release series upgrade as soon as possible to the new release. Links - Download a packaged release http://github.com/cakephp/cakephp/tags - View the changelogs http://cakephp.org/changelogs -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
