info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Cash@costelloc
Cash - 0 likes
- pa@pinate
pa - 0 likes
- pa@pinate
pa - 0 likes
- Cash@costelloc
Cash - 0 likes
- pa@pinate
pa - 0 likes
- Brett@brett.profitt
Brett - 0 likes
- GMA@boknoy
GMA - 0 likes
- Brett@brett.profitt
Brett - 0 likes
You must log in to post replies.What version of Elgg? I tried this with a 1.7 install and could not reproduce. Looking through the code, I don't see any way for this to succeed. The view parameter sets the viewtype, not the name of a file to be viewed.
We have Elgg1.5, PHP 5.2.6, apache 2.2.11 installed. I can reproduce the issue. It happens not only blog page, but also the following
[[Edited for content]]
pa
I have just tested with Elgg 1.7 installed, can not reproduce. It looks like the problem happens only in Elgg 1.5.
Unfortunately, our production is 1.5
I think I will report this issue to security team.
if anyone comes up with an idea, please suggest.
Thanks
pa
I have confirmed that this does not happen with 1.6 or 1.7 but does with 1.5. A good solution is to filter the viewtype in elgg_view to detect the presence of non-alphanumeric characters. As I understand it, you can expect a fix to this issue soon.
[[Edited for content]]
@pa - Security issues are to be reported to security@elgg.com! Please stop posting them to the community site.
@Brett
Report through e-mail?
Btw, I tested the link above and it broke my site. CSS was not applied. I got some parts of my custom theme mixed with some style and formatting of the default theme.
I'm using v1.7 and Firefox and IE8.
@GMA - Yes. All security reports are to be submitted by an email to security@elgg.com.