Elgg 1.7.10 has been released to address multiple security issues in all previous versions of Elgg. Admins should upgrade immediately to keep their networks and users safe.
Aung Khant discovered multiple reflected cross site scripting vulnerabilities in bundled plugins and provided details so we could get a fix out quickly. Thanks Aung!
Elgg 1.7.10 also contains a few enhancements, bugfixes, and API changes.
Enhancements:
Bugfixes:
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
Good to hear some bugs have been caught and squashed. Thanks for the update core team.
Thanks for the update.
A little concern regarding the scripting vulnerabilities: I don't wanna go into details but would it be possible (or maybe rather likely...) that the issue is also included in code of 3rd party plugins? If so, would it be necessary to fix the code of these plugins at all vulnerable spots?
@iionly - the vulnerabilities were for reflected XSS attacks. Basically, someone sends a user a URL that includes parameters that are passed to the page (think search query). The parameter could include embedded HTML or JavaScript. Those should be removed before the parameter is displayed on a page. We're coming up with a list of best practices here: http://trac.elgg.org/ticket/3553
What we could do is provide the right framework for making secure applications (functions like get_input() that automatically filter user supplied data) and the best practices to follow.
@Cash: thanks.