[wikka-news] Security release 1.3.4-p1 to fix XSS vulnerability
brian at wikkawiki.org
Sat Aug 31 16:31:15 UTC 2013
I've released 1.3.4-p1 in response to an XSS vulnerability report. A
malformed URL could be used to inject malicious HTML on the page,
duping the user into clicking on the link to read cookies, redirect to
a malicious website, etc. The vulnerability is only present on those
sites not running mod_rewrite, and the error page created by the
malformed URL would only be transient in nature. Nevertheless, the
vulnerability is now fixed.
On a side note: I've had a couple of developers contact me to offer
their help with keeping WW relevant, but all of them told me they'd
rather not deal with our current version source control setup (svn).
So, at some point soon down the road I will probably be transitioning
the source code and bug tickets to github. This shouldn't affect end
users and might actually assist us in getting some new devs to come on
board. I am hoping I have time for a Sept. release prior to this
transition. If you have any pressing issues you'd like to see fixed,
let me know and I'll see what I can do to fix them.
As always, thank you for your collective support of WikkaWiki!
Wikka Development Team
Systems Support and Random Tasking Dept.
More information about the news