Tux CMS

Hey y'all, just letting you know that I just found a very severe security bug in the XML-RPC APIs (the systems that allow you to post to your blog from external blogging applications, like ecto or ScribeFire for Firefox). The file xmlrpc.php in Subversion revisions prior to 388 (which includes the public alpha) did not validate the password passed along from the blog client before granting rights to post or modify the blog. Therefore, anyone who knew what they were doing could quite easily post to your blog without authorization.

An updated version of the file exists in revision 388. In order for the file to function properly, however, your installation must be using at least revision 338 (otherwise, includes will fail). Current Subversion users need only to update their working copies, whereas alpha users are recommended to switch to a Subversion branch if possible. If a switch to Subversion is not possible, we recommend that you remove the file xmlrpc.php from the root of your site until the beta is released later this week sometime in the near future ().

As always, to checkout the latest copy of Tux CMS, run:

svn co https://tuxcms.svn.sourceforge.net/svnroot/tuxcms/trunk tuxcms