Elgg Blog: Elgg 1.7.10 released

Elgg 1.7.10 has been released to address multiple security issues in all previous versions of Elgg. Admins should upgrade immediately to keep their networks and users safe.

Aung Khant discovered multiple reflected cross site scripting vulnerabilities in bundled plugins and provided details so we could get a fix out quickly. Thanks Aung!

 

Elgg 1.7.10 also contains a few enhancements, bugfixes, and API changes.

Enhancements:

  • Banned users are more apparent in user lists and profiles.

Bugfixes:

  • TinyMCE: Using Elgg's default font to prevent small font sizes.
  • Files: Optimizations to allow uploading and downloading larger files.
  • Fixed bugs preventing users from adding and removing friends in Friends Collections.
  • $CONFIG->lastcache is correctly set for pages that regenerate the cache.
API changes:
  • Added can_edit_access_collection().
  • Access collection functions no longer check permissions. Do this in actions instead.
  • Good to hear some bugs have been caught and squashed. Thanks for the update core team.

  • Thanks for the update.

    A little concern regarding the scripting vulnerabilities: I don't wanna go into details but would it be possible (or maybe rather likely...) that the issue is also included in code of 3rd party plugins? If so, would it be necessary to fix the code of these plugins at all vulnerable spots?

  • @iionly - the vulnerabilities were for reflected XSS attacks. Basically, someone sends a user a URL that includes parameters that are passed to the page (think search query). The parameter could include embedded HTML or JavaScript. Those should be removed before the parameter is displayed on a page. We're coming up with a list of best practices here: http://trac.elgg.org/ticket/3553

    What we could do is provide the right framework for making secure applications (functions like get_input() that automatically filter user supplied data) and the best practices to follow.

Latest comments