YaWiki 0.21.1 Released

Posted on Sun, 10 Jul, 2005 by pmjones

This is a security upgrade. You can download it from the usual location at http://yawiki.com/.

Arnaud Limbourg performed a full code audit for $_GET, $_POST, and $_SERVER usage. He discovered some instances of unescaped $_SERVER values in the controller scripts (not the templates). Escaping has been applied to those instances, even in some cases where it does not appear immediately necessary. The flaws have no reported exploit in the wild, but users are strongly encouraged to upgrade regardless.

Thanks, Arnaud. :-)

This entry was posted in PHP. Bookmark the permalink.

One Response to YaWiki 0.21.1 Released

  1. Arnaud says:
    Mon, 11 Jul, 2005 at 01:42

    I would not go as far as “full code audit” but I tried to fix what I found and I may have left some out :)

    BTW Paul, it would be nice if you could provide a unified patch to make it easier to upgrade an existing yawiki install.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>