Hello. PmWiki version 2.2.96 was published today, and is available at:
http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.96.tgz http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.96.zip svn://www.pmwiki.org/pmwiki/tags/latest This version fixes a severe PHP code injection vulnerability, reported by Gabriel Margiani. PmWiki versions 2.2.56 to 2.2.95 are concerned. Only certain local customizations enable the vulnerability. Your website may be at risk if your local configuration or recipes call too early some core functions like CondAuth(), RetrievePageName() or FmtPageName(), before the $pagename variable is sanitized by ResolvePageName() in stdconfig.php. A specific URL launched by a malicious visitor may trigger the vulnerability. Most recipes call core functions from a $HandleActions function, or from a Markup expression rule, these do not appear to be affected by the current exploit. If your wiki may be at risk, it is recommended to upgrade to version 2.2.96 or most recent at the earliest opportunity. If you cannot immediately upgrade, you should place the following line in your local (farm)config.php file: $pagename = preg_replace('![${}\'"\\\\]+!', '', $pagename); Place this line near the top of the file but after you include scripts/xlpage-utf-8.php or other character encoding file. This version filters the $pagename variable to remove certain characters. A new variable $pagename_unfiltered is added in case a recipe requires the previous behavior. The documentation was updated. Thanks, Petko -- Change log : http://www.pmwiki.org/wiki/PmWiki/ChangeLog Release notes : http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes If you upgrade : http://www.pmwiki.org/wiki/PmWiki/Upgrades _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
