Page 1 of 1
Serious XSS vulnerability (in v.0.94)
Posted: Thu Oct 25, 2007 11:25 am
by Avram
(REMOVED BY KLEMEN)
Nemanja, thanks for bringing this to my attention. I removed your post from here to avoid any misuse. This indeed seems to be an issue if the server is not configured to force mime headers properly, will have a look at it ASAP and post the results.
Regards,
Klemen
Posted: Thu Oct 25, 2007 11:04 pm
by Klemen
This issue has been fixed. I strongly recommend anyone using Hesk 0.94 to update to 0.94.1. You can get it from here:
http://www.phpjunkyard.com/free-helpdesk-software.php
Update is quick and easy and you won't loose any current settings/tickets.
Posted: Fri Oct 26, 2007 7:25 pm
by Avram
Thanks for quick reaction, will update ASAP
Posted: Mon Oct 29, 2007 9:58 am
by Triblade
But I do lose my custom header.txt for example.
Be carefull what you overwrite. (Luckely I saw it before overwriting)
Posted: Mon Oct 29, 2007 7:32 pm
by Klemen
if you are upgrading from 0.94 you shouldn't lose the header.txt if you follow readme instructions
Posted: Mon Oct 29, 2007 9:58 pm
by DigiMon
Thank you for the patch Klemen! The upgrade instructions in the readme file made it simple for me to upgrade without losing my customized Hesk. It literally took less than 5 minutes... awesome~!
Posted: Mon Oct 29, 2007 10:19 pm
by DigiMon
Just FYI, I discovered a couple things that the upgrade did "break", but they were customizations to fields contained tickets that we talked about in the following posts (where you gave me the instructions):
viewtopic.php?p=5914&highlight=#5896
viewtopic.php?p=5914&highlight=#5909
Going to try to re-apply them shortly and see if they work again.
EDIT - applied the instructions again, works fine, you rock!
Posted: Mon Oct 29, 2007 10:23 pm
by Klemen
Yeah, didn't include any other edits or anything with this release, just the patch. Fixes should still work, just line numbers can be different.
I will probably release a bigger update with new functionality in the next few months.