Jump to content
X2Community Forums

Recommended Posts

Guest x2demitri

Note (3/26): Last week, Secunia Research notified us of additional security vulnerabilities, which were subsequently fixed in version 4.0. Please update to/install that version or later to avoid having a version of X2Engine with the unrestricted file upload vulnerabilities that were discovered.

Hi all,


This release, 3.7.4, includes some vitally important bug fixes and security updates. We've had to delay 4.0 to get this one out, but we are in agreement that it is more important to offer these fixes first.


Special thanks to the authors of The HauntIT Blog for finding these now-fixed vulnerabilities for us. In response, we've

  • Performed a deep audit of UI code for un-encoded text attributes vulnerable to XSS
  • Created a new catch-all site-wide filter for uploaded files that precludes any maliciously-named files or forbidden mimetypes
  • Eliminated numerous possible MySQL injection vulnerabilities, including those listed on the blog





Link to post
Share on other sites
  • Create New...