[pmwiki-announce] PmWiki 2.2.2 released -- AuthUser security bugfix.

Petko Yotov 5ko at 5ko.fr
Sun Jun 21 16:03:39 CDT 2009


Hello. I have released pmwiki-2.2.2 stable today, available at :

    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.tgz
    http://www.pmwiki.org/pub/pmwiki/pmwiki-2.2.2.zip
     svn://www.pmwiki.org/pmwiki/tags/latest

The major news in this release is a fix for an AuthUser vulnerability, 
reported by Eemeli Aro.

The vulnerability affects only wikis that (1) rely on the AuthUser core module 
for User:Password authentication, -AND- (2) where the PHP installation runs 
with the variable "magic_quotes_gpc" disabled.

All PmWiki 2.1.x versions from pmwiki-2.1.beta6 on, all 2.2.betaX, 2.2.0, and 
2.2.1 are affected.

The PmWiki SiteAnalyzer can detect if your wiki needs to upgrade:
  http://www.pmwiki.org/wiki/PmWiki/SiteAnalyzer

If your wiki is vulnerable, you should do one of the following at the earliest 
opportunity:
* Upgrade to a version of PmWiki at least 2.2.2 or greater.
* Turn on magic_quotes_gpc in the php.ini file or in a .htaccess file.

Alternatively, you can temporarily disable AuthUser until you upgrade.

Note that even if your wiki does not have the AuthUser vulnerability at the 
moment, you are strongly encouraged to upgrade to PmWiki version 2.2.2 or 
later, as some future configuration of your hosting server might put you at 
risk.

If upgrading poses a difficulty for any site, please contact me at 5ko at 5ko.fr 
for assistance and a patch for older versions of PmWiki can be made 
available.

This release also comes with minor updates in the local documentation; fixes 
were applied for international wikis - notably global variables in 
xlpage-utf-8.php and a new variable $EnableNotifySubjectEncode, which allows 
e-mail clients to correctly display the Subject header; and a number of other 
small bugs were fixed.

Comments, questions are welcome as always.

Thanks,
Petko



More information about the pmwiki-announce mailing list