Security releases for Zoph

01 Jul 2010 by jeroen

I was contacted by VUPEN Security to report several Cross Site Scripting (XSS) issues in Zoph. While working on fixes for those, I found a few more myself too.

All these issues are only exploitable by logged in users, most even only by admin users, some may however be exploited by tricking you into opening a link to your Zoph installation, therefore I am classifying this as a MEDIUM risk. I encourage all users to upgrade to one of the two new releases that fix these issues:

Users who are running the v0.8 release or one of the bugfix releases for that version (v0.8.0.1 or v0.8.0.2) are recommended to upgrade to v0.8.0.3 as soon as possible. This release fixes also a few other bugs found in v0.8.0.2.

For users who are running the unstable v0.8.1 release, I have created the v0.8.1.1 release.

I have made many many changes to the Zoph sourcecode to achieve this. I have tested everything I could think of, but since so many changes were made in many different parts of the code, I have, without doubt, left a few bugs. If you happen to run into one, please report a bug.