Elgg Blog: Elgg 1.7.3 and 1.6.3 security releases

Bloggers

Brett Profitt
All posts
Twitter

Cash Costello
All posts
Twitter

Evan Winslow
All posts
Twitter

Search

Blog tagcloud

Twitter Updates

Sep

02nd

by
Brett Profitt

Elgg 1.7.3 and 1.6.3 security releases

security, elgg1.7, elgg1.6

Georg-Christian Pranschke from Sense Post discovered a vulnerability in Elgg that could potentially allow SQL injection attacks using crafted URLs or POSTs. Versions 1.7.3 and 1.6.3 correct this and are highly recommended for all Elgg users. Download 1.7.3 or 1.6.3 and upgrade now.

1.7.3 also includes additional bugfixes for problems found in 1.7.2:

Entering an invalid captcha now forwards to the referring page instead of the front page.
"Edit details" and "Edit profile icon" only show up on user's own profile.
get_objects_in_group() works correctly.
Legacy wrapper functions correctly support multiple owner guids.

To maintain the security of your network and its users, all Elgg installations should be upgraded immediately. Again, thank you very much to Georg-Christian who followed our security policy and worked with us to get a solution out quickly.