Security update for Freetag Plugin
Thanks to Niels Provos we have been informed of a security issue in the Serendipity Freetag plugin (serendipity_event_freetag). Versions up to 3.08 contained a bug that was not properly escaping a GET variable used in an SQL statement, leading to a possible SQL injection attack.
The impact of this is considered to be low, as the query used is only for displaying Meta keywords inside a blog entry, and usual mysql-Client libraries to not allow to execute multiple stacked SQL queries to drop tables etc.
Nevertheless, you should upgrade this plugin version. It is available on Spartacus, or for manual download.
Trackbacks
Trackback-URL für diesen Eintrag
- Keine Trackbacks
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Marc am um :
Thanks for that info, I wondered about it already!
ameno am um :
would be nice to have a security mailing list for such things.
Garvin am um :
You can all subscribe to the "Security" category's RSS feed!
There are also services that sends you RSS feeds via mail, if you prefer that over a RSS client.
Markus am um :
Just installed it on the test server for the relaunch of our blog - up to now everything works perfectly fine. Keep the fingers crossed!