Forum plugin 2.7.3 security fix
- Sunday, May 02 2010 @ 04:45 am EDT
- Contributed by: Dirk
- Views: 8,727
The Forum plugin 2.7.3 addresses a security issue where an XSS was possible in anonymous usernames, reported by Jaloh Smith.
To upgrade from version 2.7.2, you only need to replace 3 files:
- config.php (for the version number)
- functions.inc (for the upgrade code)
- public_html/createtopic.php (which contains the actual fix)
Then simply run the upgrade from Geeklog's Plugin admin panel.
If you don't care about the version number, you can simply replace createtopic.php. As a short-term measure, you can also disable posting for anonymous users entirely: In the Forum's admin panel, select the Settings tab and set the option "Do you need to be registered to create posts" to "Yes".