Hello,
An anonymous person (called "r0ut3r") sent me a patch to fix a
security vulnerability. I'd like to thank him for sending me a private
email before releasing the advisory.
Explanation of the problem :
If you have "register_globals" ON (it is an unsafe way of running PHP,
see
http://php.net/register_globals ), a remote attacker could write a
script that allows him to include a remote file.
This problem has been found in render.php (inside /design/)
This problem has been fixed 20 minutes after I have been aware of the
problem. It is available in SVN, and a new version will be released
later today on Thinkedit.org.
I plan to do a complete security audit of Thinkedit for the 2.0 release.
If anyone wants more information about this kind of problem, let me know.
--
Philippe Jadin
Thinkedit, a flexible
data and content
management system :
http://www.thinkedit.org_______________________________________________
Thinkedit.org, a simple yet powerfull CMS
Thinkedit-user mailing list
Thinkedit-user@...
https://lists.berlios.de/mailman/listinfo/thinkedit-user
