I have notified iMatix via supportat_private of multiple flaws in the GSL templates of Xitami 2.5 Beta. The e-mail was sent out today, so I will release technical details later on, but I did want to release a workaround: In defaults.cfg, users can set "use-error-script" in the "[Server]" section to "0". This will disable the vulnerable GSL script and secure your server. Users who have not installed the Beta should wait until a fix is available. Xitami has no security contact, so I decided to publish this workaround to avoid exploits of this bug. In my message to the company (iMatix) I told them that if no reply was received in 7 days, I would publish full details.
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 14:20:37 PDT