One of the LifeType users reported a security problem in the RSS parser that allowed any file on your system to be read.  ick.

Oscar has fixed it and 1.1.6 will be released tomorrow.

Everyone on my server has been upgraded already and it probably isn't too critical for them, at least in the case of retrieving their mysql password, which was the reported problem, since mysql doesn't allow remote access, so it would have to be a customer of mine.  Though I suppose since any file could have been read, it is possible that some other file could have been opened.

Actually, I just checked the server logs, and no attempts were made to get any files that had a ".." in them, so everyone should be alright. 

Posted by Jon Daley on February 13, 2007, 10:19 pm | Read 23366 times
Category Programming: [first] [previous] [next] [newest] Reviews: [first] [previous] [next] [newest]
Comments

Thanks, Jon! We're in good hands with Lime Daley.

Posted by SursumCorda on February 14, 2007, 6:11 am
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable