Today, we released another bug fix for the Phorum 3.4 branch, version 3.4.2. Among other things, it fixes a Cross Site Scripting Vunerability. Here is the changelog:
Phorum 3.4.2 Changelog ------------------------------------------------------------ More Postgres fixes. (tomaz) better date formatting for newer Postgres verions. (tomaz) Attempted to fix new flag issue. Could never duplicate, but found some buggy code. (blm) added script to clean up orphaned messages (blm) fixed disabling post-editing for users in non-threaded (ts) removed unneeded escape of ' in forum.php (blm) replaced striptags with a preg. Strip tags does not strip just tags (blm) Fixed some bad HTML in read.php (blm) Fixed horiz scroll in IE (blm) fixed tab order in form.php (blm) removed \r in secure script (blm) download.php works with non-apache and CGI now. (blm) escape ' in the quote word. (blm) fixed parse error in phorummail (blm) Fixed Forum List Url in moderator.php (blm) corrected upgrade30.php-script (ts) Strip tags and from author, subject and email (blm) That last item is what addresses the recent XSS exploit reported in the support forums. Ironicly, had I realized that was the case, we would have released something when I fixed that a while back. Brian Moon Phorum Dev Team -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
