Welcome to Geeklog Thursday, June 22 2017 @ 11:32 pm EDT

Forum plugin 2.7.3 security fix

  • Contributed by:
  • Views: 5,796
Security

The Forum plugin 2.7.3 addresses a security issue where an XSS was possible in anonymous usernames, reported by Jaloh Smith.

To upgrade from version 2.7.2, you only need to replace 3 files:

  • config.php (for the version number)
  • functions.inc (for the upgrade code)
  • public_html/createtopic.php (which contains the actual fix)

Then simply run the upgrade from Geeklog's Plugin admin panel.

If you don't care about the version number, you can simply replace createtopic.php. As a short-term measure, you can also disable posting for anonymous users entirely: In the Forum's admin panel, select the Settings tab and set the option "Do you need to be registered to create posts" to "Yes".