On Tuesday 01 July 2003 10:08, Tzafrir Cohen wrote: > > The version of Zope on IGLU is quite old. 2.1-something, IIRC. The > version of Squishdot is probably almost as old. > > Upgrade? Replace with something else (that people here know how to > maintain)? This question has arose several times in the past.
I would of course recommend upgrading, but there might be other considerations involved from your side, so it's obviously up to you guys to decide. However, whatever you decide about Zope, make sure you filter <script> tags, in whatever workaround you can find for it - as it is now, anyone can steal the administrative cookie, or post fake news as someone else, or a bunch of other Cross-Site-Scripting attacks. This is no longer a theoretical vulnerability: there are people who know IGLU is vulnerable (2600) and they are already actively exploiting it! -- - Aviram
