PHProjekt 5.2.1: security and bugfix update

14. Mar 2007   

Today we release a security and bugfix update for PHProjekt 5.2 - the current version is now 5.2.1. You can download it directly here:
tar.gz - zip.
Read more: ... Beside many bugs which have been reported in the Bugtracker of thinkforge and fixed in this version we removed these security issues:
- some xss holes
- a bug in the csrf prevention routine
- few blind sql injections
Please read also the advisory by nruns.
Please note that this exploits are only possible if a valid user is logged in.
Also we implemented features to improve the security of PHProjekt:
- a further improvement of the pw encryption to avoid attacks with rainbow tables
- default file download method is only as attachment, the sysadmin has to
  explicitely enable inline download via PHPR_DOWNLOAD_INLINE_OPTION in the config
- deny robots like google to list your installation in search engines

Furthermore we fixed many bugs in the 5.2 version, among them a problem with the codepage & dojo and a bug which prevented the root from using the module designer under certain conditions.

We strongly recommend to update to the current version 5.2.1
How to update: simply copy the scripts of the distribution over your current
installation, no need to run the update routine.

Albrecht
on behalf of the PHProjekt development team

Verfasst von  Albrecht