Monday, June 14, 2010

PHP-Calendar 2.0 Beta8 is out

There's not really much to talk about here in the way of features. A couple of new translations, Danish and Chinese. Not too many bug fixes. No DB changes. The big changes here are all security related. I added a check to protect against CSRF, fixed a few XSS and an SQL injection or two. Thanks to Teemu Vesala at Qentinel and the folks at Skipfish for helping find them. The update scripts from 1.x series have been removed as they were another attack vector.

There was a published vulnerability about the update scripts that I was never notified about. I'm pretty disappointed about how they handled that situation. The security advisory. Despite the fact that the bulletin says I was notified and the rep from isecauditors.com said he notified me, I was not notified. If you're using an older version of PHP-Calendar, mainly version 1.1, please delete the update08.php and update10.php files.

VUPEN released an advisory for the security issues fixed in 2.0-beta7. Anyone on an earlier beta should upgrade to 2.0-beta8.

3 comments:

  1. I have an update question. I noticed in the previous beta (6) there was an update11.php file to be able to update to that version. There doesn't seem to be an update php file in beta8. How would one go about updating from beta6 to beta8? Sorry for the dumb question. :-)

    ReplyDelete
  2. The update files were for the stable branch. Thus far I haven't made any update scripts for the 2.0 betas. To update from beta6 to beta8, backup your original files and data, extract the new beta to a new location, copy the config.php from the old location, remove the install directory, and you're basically done. Remove the old version and move over the new version. Beta6 onward haven't had DB changes. I think the next beta will still have the same format, but I do have a few changes to make before the final version. I'll try to come up with some kind of updater for that release.

    ReplyDelete