Elgg 1.8.17 and 1.7.20 have been released to address a few critical security issues. Be sure to upgrade immediately to protect your sites.
- A specially-crafted request can return the contents of sensitive files.
- A reflected XSS attack is possible against 1.8 systems.
- The cryptographic key used for various purposes may have been generated with weak entropy, particularly on Windows.
Thanks to Mike Kasper and an anonymous contributor for reporting these vulnerabilities to us privately via firstname.lastname@example.org.
1.8.17 also includes tons of other fixes:
- URLs with non-ASCII usernames again work
- Floated images are now properly cleared in content areas
- The activity page title now matches the document title
- Search again supports multiple comments on the same entity
- Group member listings are ordered by name
- Blog archive sidebar now reverse chronological
- URLs with matching parens can now be auto-linked
- Log browser links for users now work
- Disabling over 50 objects should no longer result in an infinite loop
- The system_log table can now store IPv6 addresses
- Radio/checkbox inputs no longer have border radius (for IE10)
- Htmlawed was upgraded to 1.1.16
- List functions: no need to specify pagination for unlimited queries
- User picker: the Only Friends checkbox again works
- Group bookmarklet no longer shown to non-members
- Widget reordering fixed when moving across columns
- Web services auth_gettoken() now accepts email address
- Refuse to deactivate plugins needed as dependencies
Thanks to all contributors who worked on these releases:
- Brett Profitt
- Cash Costello
- Ed Lyons
- Evan Winslow
- Jeroen Dalsem
- Jerome Bakker
- Juho Jaakkola
- Matt Beckett
- Paweł Sroka
- Steve Clay
If you would like to contribute to an Elgg release, fork our repository at GitHub.