One of the LifeType users reported a security problem in the RSS parser that allowed any file on your system to be read. ick.
Oscar has fixed it and 1.1.6 will be released tomorrow.
Everyone on my server has been upgraded already and it probably isn't too critical for them, at least in the case of retrieving their mysql password, which was the reported problem, since mysql doesn't allow remote access, so it would have to be a customer of mine. Though I suppose since any file could have been read, it is possible that some other file could have been opened.
Actually, I just checked the server logs, and no attempts were made to get any files that had a ".." in them, so everyone should be alright.
Posted by
Jon Daley on
February 13, 2007, 10:19 pm
| Read 24090 times
|
Comments
(1)
Category
Programming:
[
first]
[
previous]
[
next]
[
newest]
Reviews:
[
first]
[
previous]
[
next]
[
newest]