News»News2006-06-24-1

New Stable Release: Qdig 1.2.9.3

This is a maintenance release that corrects code that can possibly be used for cross-site scripting if a server is configured with register_globals enabled. This release also bundles an improved version of the path_helper.php script.

Notes:

This is a maintenance release that corrects code that can possibly be used for cross-site scripting if a server is configured with register_globals enabled (not PHP's default since version 4.2.0, which was released April 22, 2002). If your server has register_globals enabled you should upgrade immediately or make the changes described below. (Actually, you should probably turn register_globals off!)

If you have a previous version and don't want to upgrade you can change two lines to protect your copy of Qdig from the vulnerability:

Near the beginning of the Output section of the script, change

    if (isset($pre_gallery)) { echo $pre_gallery; }

to

    if (!ini_get('register_globals')) { echo @$pre_gallery; }

and near the end of the script, change

    if (isset($post_gallery)) { echo $post_gallery; }

to

    if (!ini_get('register_globals')) { echo @$post_gallery; }

See the all of the related changes (and one other minor change) here. Some other code was added to assure that type of bug will not find its way back into the script. Special thanks go to Patrick R. Michaud for his knowledgeable assistance and register_globals-related code.

This release also bundles an improved version of the path_helper.php script.

See also the Qdig 1.2.9.2 release notes.

Changes:

  • Corrected code that exposed vulnerability to cross-site scripting when running on some web servers (reported by http://seclab.tuwien.ac.at/).
  • Updated to the latest version of path_helper.php .

See also the Qdig 1.2.9.2 changes.

See CHANGELOG.txt for a complete list of changes.

<< New Development Release: Qdig 200600529 | News | New Development Release: Qdig 200600624 >>