Main Stories
Slash Boxes

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

Slash 2.2.5 Released

posted by pudge on 11:52 AM February 7th, 2002   Printer-friendly   Email story
Slash 2.2.5 is released. It is strongly recommended that you upgrade from version 2.2.0 through 2.2.4. This release fixes a cross-site scripting vulnerability which could be used to obtain passwords or other private information from both users and admins.

Download it via HTTP or FTP, and read the README and changelog.

To upgrade from 2.2.x, unpack the 2.2.5 tarball and "make install," then restart Apache and the slashd daemon.

Upgrading from 2.2.2 also entails some extremely minor SQL changes; from 2.2.1 you must update the template header;misc;default; from 2.2.0 also update the template displayForm;submit;default; from 2.2.4, update the template messages;users;default.

Earlier versions of Slash are also affected; if you are running 1.0.x or 2.0.x and are unable to upgrade to 2.2.5, read on for patches.

Here is the patch for Slash 1.0.x:

---       Thu Feb  7 10:23:29 2002
+++    Thu Feb  7 10:09:40 2002
@@ -149,6 +149,7 @@
        # special few
        my %special = (
                sid => sub { $_[0] =~ s|[^A-Za-z0-9/.]||g },
+               formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g },

        for ($I{query}->param) {

And here is the patch for Slash 2.0.x:

diff -U3 -r1.10
--- Slash/Utility/    2001/05/07 17:59:57     1.10
+++ Slash/Utility/    2002/02/07 15:39:15
@@ -2531,6 +2531,7 @@
        # special few
        my %special = (
                sid => sub { $_[0] =~ s|[^A-Za-z0-9/._]||g },
+               formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g },
        # qid is same as sid
        $special{qid} = $special{sid};

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login
Loading... please wait.
  • I must admit, I was apprehensious at first about upgrading since I had a lot of problems getting it installed in the first place. So I spend a few minutes backing everything up first, typed 'make; make install', and crossed my fingers as I hit ENTER. But alas, it worked fine. :) Now the only question I have is - how can I be sure I actually installed it? With my luck, I didn't do a darn thing. ;/
    • Look the the file (for ancient versions of slash it'd be that's been installed on your box. Check the version #. That'd tell you if it's been updated or not.

      lottadot []