Lurker

File Release Notes and Changelog

Release Name: 2.1

Notes: This update closes three remotely exploitable security vulnerabilities in lurker. All lurker versions from 0.1a to 2.0 are affected. The initial vulnerabilities were discovered by Moritz Naumann. The specific weaknesses which have been closed include: 1. Reading any file accessible to the user executing lurker.cgi 2. (Over)writing chosen files in any writable directory called mbox 3. Stealing browser cookies from users Please update your systems.

---

Changes: lurker.cgi uses the environment to provide location information: LURKER_CONFIG over-rides the default config file LURKER_FRONTEND chooses which frontend is being rendered Updated the apache.conf and install docs to demonstrate this Escape all user controllable text which is output as xml/html Escape broken mailbox content displayed during import Localization of the reply button