Thanks to the Mozilla Development team for identifying a security issue within MindTouch. Our engineering team has confirmed the issue and released a patch to remedy this issue for MindTouch versions 10.0.x and 9.12.x. If you have an earlier version of MindTouch we urge you to update to the latest version and apply the security fix.
To apply the security fix, please follow the steps below.
cd /var/www/dekiwiki wget http://developer.mindtouch.com/@api/deki/files/6961/mindtouch-update-2011-01-20.patch patch -p0 < mindtouch-update-2011-01-20.patch
- Download and install GNU Patch for windows.
- Download the patch then copy it to your MindTouch web directory: C:\Program Files\MindTouch\MindTouch\web
- Launch a command shell (Start -> Run -> cmd)
- Run the following commands
cd C:\Program Files\MindTouch\MindTouch\web "C:\Program Files\GnuWin32\bin\patch.exe" -p0 < mindtouch-update-2011-01-20.patch cacls deki\core\deki_request.php /P Users:R cacls deki\plugins\special_page\special_advanced_properties.php /P Users:R
In addition to applying the patch above, please make sure the following configuration key/value pairs are in your Advanced Configuration settings in your control panel. MindTouch ships with these values enabled by default.
|files/blocked-extensions||html, htm, exe, vbs, scr, reg, bat, com, xhtml|
htm, html, xhtml, bat, reg, sh
|files/whitelisted-disposition-mimetypes||text/plain, text/xml, application/xml, application/pdf, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, application/vnd.openxmlformats-officedocument.presentationml.presentation, application/vnd.oasis.opendocument.presentation, application/vnd.oasis.opendocument.spreadsheet, application/vnd.oasis.opendocument.text, application/x-shockwave-flash|
It is imperative that you update your MindTouch installs immediately. We urge you to take a proactive approach in applying this patch, which should take no longer than ten minutes.
MindTouch places a great emphasis on the security of the platform, and will continue to improve on our release processes to diminish the likelihood of these types of issues.