[Lurker-users] Lurker 2.1 released; closes serious security …

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Federico Sevilla III at ->
Author: Wesley W. Terpstra
Date:  
To: lurker-users Users
Subject: [Lurker-users] Lurker 2.1 released; closes serious security flaws
Attachments:
Message as email
+ (text/plain)
+ PGP.sig (application/pgp-signature)
Delete this message
Reply to this message
gpg: Signature made Mon Mar 6 11:32:49 2006 CET using DSA key ID 718A9256
gpg: BAD signature from "Wesley W. Terpstra <wesley@terpstra.ca>"
This update closes three remotely exploitable security
vulnerabilities in lurker. All lurker versions from 0.1a to 2.0 are
affected. The initial vulnerabilities were discovered by Moritz Naumann.

The specific weaknesses which have been closed include:
1. Reading any file accessible to the user executing lurker.cgi
2. (Over)writing chosen files in any writable directory called mbox
3. Stealing users' browser cookies via cross-site scripting

An updated version of the source package is now available on
sourceforge:
http://prdownloads.sourceforge.net/lurker/lurker-2.1.tar.gz?download
Fixed debian packages from Jonas Meurer are available at:
http://terpstra.ca/lurker-security/
All previous versions have been removed from the sourceforge website.

In approximately two weeks from now, there will be a full
vulnerability disclosure, including example exploit URLs.

Please update your systems.
This message was posted to the following mailing lists:
Lurker users
Mailing List Info | Nearby Messages		<-Re: [Lurker-users] no new year 2006 in jump-date?Re: [Lurker-users] Lurker 2.1 released; closes serious security flaws->
Terpstra Town Email Archives administrated by Wesley W. TerpstraLurker (version 2.2)