XOOPS 2.2.2 and are released

Date 2005/8/15 21:30:00 | Topic: XOOPS

We were recently made aware of a potential problem with certain XOOPS files disclosing physical server paths when accessed directly from a browser.

This problem exists in both XOOPS 2.0.13 (and previous versions) and XOOPS 2.2.x and we have therefore fixed this problem in the core files for new releases in both the 2.0.x and 2.2.x branches and recommend that all 2.0.13 (and previous versions) users update their installations to and that all XOOPS 2.2 and 2.2.1 users update to version 2.2.2 at earliest convenience.
Please note that some module files are changed in and if you use newer versions of these modules do not overwrite your existing module files with the files in this package

A similar problem can come from module files and we therefore encourage all module developers to look through their files meant to be included in other files and therefore disclosing physical server paths to place this code snippet at the top of the files in question:


if (!defined("XOOPS_ROOT_PATH")) {
die("XOOPS root path not defined");


Upgrade Instructions
Upload files inside the html folder from the appropriate upgrade patch to the webserver - that's it.

Download XOOPS
XOOPS full (stable)

XOOPS 2.0.13 to patch

XOOPS 2.0.12a to patch
.zip | tarball
XOOPS 2.0.10 to patch (use this to update 2.0.10, 2.0.11 and 2.0.12)
.zip | tarball

Download XOOPS 2.2.2:
(Known stability and compatibility problems with some modules)

XOOPS 2.2.2 full (YMMV)

XOOPS 2.2.1 to 2.2.2 patch

Changelog from XOOPS 2.0.13 to
2005/08/15: Version
- SECURITY: Fixed several path disclosure issues (Mithrandir/ajaxbr+Dave_l)

Changelog from XOOPS 2.2.1 to 2.2.2:
2005/08/15: Version 2.2.2
- SECURITY: Fixed several path disclosure issues (Mithrandir/ajaxbr+Dave_l)
- Fixed bug #1253433 - Outbox to-link wrong (Mithrandir/Dave_l)
- Fixed bug #1256352 - insertConfigCategories (Mithrandir/Pnooka)
- Fixed bug #1255004 - malformed uri in class/theme.php (Mithrandir/Frankblack)
- Fixed bug #1252898 - SMTP, SMTPAuth Fsockopen error (Mithrandir/fatalsaint)
- Fixed wrong call to loginUser() with uname instead of loginname (Mithrandir/ef11cornell)
- Fixed bug #1249880 - Change Email function can't be disabled (Mithrandir/Dave_l)
- Added "font styles" to language files in xoopseditor/koivi (phppp)
- Added empty $text check for encoding conversion in languages/english/local.php (phppp)
- Removed language files other than English (phppp)

This article comes from XOOPS Web Application System

The URL for this story is: