[pmwiki-announce] PmWiki 2.2.96 released: Fix severe vulnerability

[Petko Yotov]

Hello. PmWiki version 2.2.96 was published today, and is available at:

   http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.96.tgz
   http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.96.zip
    svn://www.pmwiki.org/pmwiki/tags/latest

This version fixes a severe PHP code injection vulnerability, reported
by Gabriel Margiani. PmWiki versions 2.2.56 to 2.2.95 are concerned.

Only certain local customizations enable the vulnerability. Your
website may be at risk if your local configuration or recipes call too
early some core functions like CondAuth(), RetrievePageName() or
FmtPageName(), before the $pagename variable is sanitized by
ResolvePageName() in stdconfig.php. A specific URL launched by a
malicious visitor may trigger the vulnerability.

Most recipes call core functions from a $HandleActions function, or
from a Markup expression rule, these do not appear to be affected by
the current exploit.

If your wiki may be at risk, it is recommended to upgrade to version
2.2.96 or most recent at the earliest opportunity. If you cannot
immediately upgrade, you should place the following line in your local
(farm)config.php file:

   $pagename = preg_replace('![${}\'"\\\\]+!', '', $pagename);

Place this line near the top of the file but after you include
scripts/xlpage-utf-8.php or other character encoding file.

This version filters the $pagename variable to remove certain
characters. A new variable $pagename_unfiltered is added in case a
recipe requires the previous behavior. The documentation was updated.

Thanks,
Petko


-- 
Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades