XOOPS 2.0.7 release pulled back
Category : Release Status
Published by Herko on 15-Jun-2004 06:26
Some of you may have noticed that earlier today we released the new bugfix of the XOOPS 2.0 system: 2.0.7. We had to pull back that release due to the discovery of a very difficult but dangerous security bug in the system. The 2.0.7 release tries to fix this, but the fix itself breaks some XOOPS installs.
This security vulnerability is dangerous when the XOOPS install is on a shared hosting environment with php safe_mode off, and allows reading of mainfile.php content in shared hosting environments. This vulnerability is still present in XOOPS 2.0, but Skalpa has been up all night to fix this. The XOOPS Core Development Team will release a fixed version of 2.0.7 soon, including an updater for mainfile.php.
Also, I'd like to point out that this issue isn't unique to XOOPS, but to most PHP CMS's.
This security vulnerability is dangerous when the XOOPS install is on a shared hosting environment with php safe_mode off, and allows reading of mainfile.php content in shared hosting environments. This vulnerability is still present in XOOPS 2.0, but Skalpa has been up all night to fix this. The XOOPS Core Development Team will release a fixed version of 2.0.7 soon, including an updater for mainfile.php.
Also, I'd like to point out that this issue isn't unique to XOOPS, but to most PHP CMS's.