Elgg 1.8.13 and Elgg 1.7.17 have been released to address a security issue in the Twitter widget. The issue is present in all versions of Elgg that have included the Twitter widget plugin. Thanks to Moritz Naumann of Naumann IT Security Consulting for discovering and reporting this vulnerability to us.
Keep your Elgg site secure by disabling the Twitter plugin or upgrading today.
Five developers contributed to this release:
If you would like to contribute to an Elgg release, fork our repository at Github.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
Thanks for the update. Is it a High risk or low risk threat?
Rodolfo Hernandez
Arvixe/Elgg Community Liaison
thanks for updating, also.. any update to the issue of malformed URLs?
The Secunia advisory rated it as medium. At a minimum, you can grab the Twitter widget plugin from the new release and use it with a previous one if you are not ready to upgrade.
@tunist The fix was for URLs that had the string "quot" in them. I hadn't seen "039" there before so we will need to look into it. It is definitely related.
ah ok; gotcha.
@Cash: the download link to Elgg 1.7.17 results in a 404. Is the zip file missing / not available yet?
@rjcalifornia I consider all XSS as high risk.
@iionly In the meantime you can get 1.7.17 here: https://github.com/Elgg/Elgg/archive/1.7.17.zip
Hmm...I must have forgotten to add the 1.7.17 release. I can do that in about 3 hours.
The Elgg 1.7 zip file from github misses the ChangeLog file - just thought I should mention it if this was unintended...
While ChangeLog is missing the zip contains .gitignore and .travis.yml. Wouldn't it be "nicer" to remove these files for the public release? They make sense for the development version from github but otherwise they might only confuse people ("What is this strange file? Can I remove it?").
@cash @Steve
Thanks for the info!
Rodolfo Hernandez
Arvixe/Elgg Community Liaison
@iionly - I think we have always removed the .gitignore. I modified our release script to remove the travis file for the latest releases. We have no control over the zip files created by Github.
@Cash: I can confirm that .gitignore and .travis.yml are indeed not included in the Elgg 1.8 zip archive when downloaded from here. For the Elgg 1.7 zip archive there's also no .gitignore but there is the .travis.yml still included. I guess the Changelog does get created by script then, too? This would explain why it's not in the zip file from github. Alright for me.
@iionly - you are correct on the 1.7 zip file. Whoever deployed it must have forgotten to get the latest version of the release script. And yes, the script creates the change log from the commit messages.
solves the cache problem with language?
@mariano: is there really a cache problem with language files? Have you tried if it works when creating a corresponding language file in views/default/js/languages for the additional language(s)? This seems to have worked for others to solve the issue.