| |||||||||||
| |  |
 |
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
(#1)
  |
| Limey Posts: 8,141 Join Date: Jan 2006 Location: England, UK |  HtmlTidy html-tidy-logic.php security patch -
19-11-2008, 12:31 AM
We have patched a file that we distribute with SupportSuite, eSupport and LiveResponse to fix a reported security flaw (as well as another one which we have discovered in the same file). The flaw can only be triggered when register_globals (in the PHP configuration) is turned on. register_globals is turned off by default, and to turn the setting on would go against PHP 4+ installation guidelines and defaults. Please download the attached file and replace your existing one with it. In folder: Code: \includes\htmlArea\plugins\HtmlTidy\ -------------------------------------------------------------------
|
| |  |
|
(#2)
|
| Member Posts: 1,222 Join Date: Dec 2007 Location: Boise, Idaho |
19-11-2008, 07:25 PM
This patch has been pushed upstream to the HTML Tidy maintainers.
|
| | |
|
(#3)
|
| Member Posts: 1,222 Join Date: Dec 2007 Location: Boise, Idaho |
20-11-2008, 06:30 AM
I was incorrect to attribute this source file to HTML Tidy; this source file is in fact our own code. Whereas the defect was correctly identified and repaired, the origin of the source in question was not. This was a Kayako defect, not a Tidy defect. |
| | |
|
(#5)
|
| Senior Member Posts: 7,909 Join Date: Jun 2005 Location: Cumbria, UK |
20-11-2008, 02:01 PM
You can subscribe to the news and announcements board on this forum. Go to http://forums.kayako.com/subscriptio...bscription&f=3 to do so.
Click here for Kayako Software Development My Addons: BlackBerry Ticket Client for Kayako - Windows Mobile Live Support Client for Kayako |
| | |
|
(#6)
|
| Member  Posts: 268 Join Date: Jan 2008 |
20-11-2008, 02:18 PM
Quote:
| |
| | |
|
(#7)
|
| Member Posts: 1,222 Join Date: Dec 2007 Location: Boise, Idaho |
20-11-2008, 07:07 PM
Actually, I'm now getting mixed responses from parties which should all be giving the same answer about the origin of the defect. At this time I withdraw any claim to knowledge of the origin of the source containing the defect, pending further investigation. The defect is fixed in our copy of the source; however, it remains unclear at this time whether other parties use this source, and whether or not they are affected. I will keep this thread up to date as I get a clearer picture of what's going on. Someone is confused (I certainly am, but I mean among the people I'm discussing this with), but I don't know who it is yet. Regardless, this defect is closed at least in our copy of this source. |
| | |
|
(#8)
|
| Member Posts: 1,222 Join Date: Dec 2007 Location: Boise, Idaho |
20-11-2008, 08:29 PM
I understand the problem now. There is a third party wrapper for HTML Tidy which, confusingly, uses the name HTML Tidy. The reason I believed that we acquired this source from HTML Tidy is that we did; I just was unaware of that there were two products going under this name. The C library and the PHP bindings - that is, the major product called HTML Tidy - is not subject to this defect. The third party PHP wrapper, which is a plugin module for htmlArea, is the vulnerable package. Kayako is escalating this issue to the other HTML Tidy group; however, as that plugin is considered unsupported, it remains unclear the expected response. This defect is resolved in all Kayako products with the patch provided in this thread, and that patch will be reflected in the upcoming 3.30.03 stable, expected promptly (with other bugfixes too). Kayako would like to thank
|
| | |
|
| Thread Tools | Search this Thread |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Free HTML/Outlook Tickets and Queue Signature Problems - Solved! | Matthew | Modifications & Extensions | 10 | 02-12-2008 08:10 AM |
| Security Threat in 3.30 STABLE - HTML in ticket preview | NC Software | SupportSuite, eSupport and LiveResponse | 16 | 15-08-2008 11:48 PM |
Linear Mode
