[pmwiki-users] Thumblist Security Release
Petko Yotov
5ko at 5ko.fr
Wed Mar 26 14:40:19 CDT 2008
Hello,
I've just released Thumblist 83Qb, available from:
http://www.pmwiki.org/wiki/Cookbook/ThumbList
http://galleries.accent.bg/pub/thumblist2.php.txt
http://galleries.accent.bg/pub/thumblist2-actions.php.txt
The primary purpose of this release is to close a potential security
vulnerability that could allow an attacker to consume a fair amount of server
ressources (CPU, RAM, ...). No known actual exploits of this vulnerability
have been reported, but all users are urged to upgrade.
For those who are running older versions of Thumblist, the vulnerability can
be avoided by either:
* upgrading to this release, or
* disabling the recipe, or
* restricting page and gallery editing privileges to trusted individuals,
notably by setting an edit/upload password [1] *and* restricting gallery
creation to authenticated users in config.php:
$HandleAuth['createthumb'] = 'edit';
Before upgrading, please read the installation instructions and the release
notes:
http://www.pmwiki.org/wiki/Cookbook/ThumbList
http://galleries.accent.bg/Thumblist2/NewInVersion2
If upgrading poses a difficulty for any site, please contact me at 5ko <snail>
5ko.fr for assistance and a patch for older versions of Thumblist can be made
available.
Comments, questions welcome as always.
Thanks,
Petko
[1] http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin
More information about the pmwiki-users
mailing list