Author Archive
Security Vulnerability
Recently, a Local/Remote file inclusion vulnerability was reported against MindTouch 10.1.3. Though the report looks ominous, this vulnerability is only exploitable when PHP is explicitly configured to operate in an insecure manner.
The PHP setting that makes this vulnerability exploitable is register_globals = On. When register_globals is set to On, input from the client (query string parameters and cookies) are assigned to variables in PHP which can cause unexpected and very unsafe results.
Because register_globals = On is such a high security risk, the default value of the setting is "Off" since PHP version 4.2.0, has been deprecated in PHP 5.3.0 and removed entirely in PHP 5.4.0.
MindTouch has never recommened that the setting be turned on nor shipped a product with register_globals = On.
MindTouch 10.0.7 Released & Ready for Download
MindTouch version 10.0.7 is the latest stabilization release for the Olympic family of products (MindTouch TCS v10, MindTouch Platform v10, MindTouch Core v10). This release contains a critical security fix so we highly recommend that you upgrade to 10.0.7 to take advantage of this and the following fixes:
Bug
- MT-8716 — Syntax highlighter does not parse correctly
- MT-8917 — DEFECT: extension dialog does not properly process @default attribute on extensions
- MT-8962 — DEFECT: Images not rendering after draft is published
- MT-9134 — Unable to Rename Username to Previously Used Username
- MT-9436 — Cannot edit and save files from MindTouch via IE/win7
- MT-9486 — "Insert" dropdown grays out after selecting an item.
- MT-9491 — Unlinking part of link removes enitre link
- MT-9530 — External authentication fails when username contains a space
- MT-9535 — User profile search does not return data in 2010
- MT-9542 — MindTouch error on MySQL 5.5.x
- MT-9580 — DEFECT: Special:UserLogin throws undefined method if either username or pw is blank (does not use default auth ID)
- MT-9589 — User pages created through Special:UserRegistration are created as the Anonymous user.
- MT-9631 — Recent Change entry for user homepage creation
Feature
- MT-9346 — CKeditor block level style highlighting
- MT-9399 — Page Subscriptions: Get users subscribed to a resource, subscribe user to resource
Task
MindTouch 10.0.5 Released & Ready for Download
MindTouch version 10.0.5 is the latest stabilization release for the Olympic family of products (MindTouch Technical Communication Suite v10, MindTouch Platform v10, MindTouch Core v10). We highly recommend you upgrade to 10.0.5 to benefit from the fixes addressed in this release:
Bug
- MT-8619 — DekiAPI extension not working correctly on HTTPS sites
- MT-8754 — Double curlies inside script-jem blocks are not parsed as DekiScript
- MT-8840 — DEFECT: Superuser password mysql field isn't set to password
- MT-8982 — Webkit: tabbing to create a new table row jumps cursor into the weeds.
- MT-9203 — OpenSearch is missing resource keys
- MT-9332 — File Reservation plugin "Page not Found" error
- MT-9486 — "Insert" dropdown grays out after selecting an item.
- MT-9491 — Unlinking part of link removes enitre link
Task
The 10.0.5 release is available via updateWiki.sh (for VM users) or can be downloaded as a source tarball, RPM, DEB, and MSI or from the MindTouch downloads page.
Security Update 2011-01-20
Thanks to the Mozilla Development team for identifying a security issue within MindTouch. Our engineering team has confirmed the issue and released a patch to remedy this issue for MindTouch versions 10.0.x and 9.12.x. If you have an earlier version of MindTouch we urge you to update to the latest version and apply the security fix.
To apply the security fix, please follow the steps below.
Linux
cd /var/www/dekiwiki wget http://developer.mindtouch.com/@api/deki/files/6961/mindtouch-update-2011-01-20.patch patch -p0 < mindtouch-update-2011-01-20.patch
Windows
- Download and install GNU Patch for windows.
- Download the patch then copy it to your MindTouch web directory: C:\Program Files\MindTouch\MindTouch\web
- Launch a command shell (Start -> Run -> cmd)
- Run the following commands
cd C:\Program Files\MindTouch\MindTouch\web "C:\Program Files\GnuWin32\bin\patch.exe" -p0 < mindtouch-update-2011-01-20.patch cacls deki\core\deki_request.php /P Users:R cacls deki\plugins\special_page\special_advanced_properties.php /P Users:R
Configuration Changes
In addition to applying the patch above, please make sure the following configuration key/value pairs are in your Advanced Configuration settings in your control panel. MindTouch ships with these values enabled by default.
| files/blocked-extensions | html, htm, exe, vbs, scr, reg, bat, com, xhtml |
| files/force-text-extensions |
htm, html, xhtml, bat, reg, sh
|
| files/whitelisted-disposition-mimetypes | text/plain, text/xml, application/xml, application/pdf, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, application/vnd.openxmlformats-officedocument.presentationml.presentation, application/vnd.oasis.opendocument.presentation, application/vnd.oasis.opendocument.spreadsheet, application/vnd.oasis.opendocument.text, application/x-shockwave-flash |
It is imperative that you update your MindTouch installs immediately. We urge you to take a proactive approach in applying this patch, which should take no longer than ten minutes.
MindTouch places a great emphasis on the security of the platform, and will continue to improve on our release processes to diminish the likelihood of these types of issues.
MindTouch v10.0.5 RC1
We’ve just wrapped up the development cycle for the MindTouch 10.0.5 RC1 release. The MindTouch Community Portal has been updated and is running the latest bits.
If you’d like to help us test RC1 please switch to the following SVN branch:
https://svn.mindtouch.com/source/public/dekiwiki/10.0
Then update to revision number 23931
svn up -r 23931
The following bugs were fixed for 10.0.5 RC1:
Bug
- MT-8619 — DekiAPI extension not working correctly on HTTPS sites
- MT-8754 — Double curlies inside script-jem blocks are not parsed as DekiScript
- MT-8982 — Webkit: tabbing to create a new table row jumps cursor into the weeds.
- MT-9193 — File reservation updates needed
Task
- MT-9265 — Upgrade editor to 3.4.2
