The Habari Project was notified yesterday of three potential security vulnerabilities that had been discovered by the High-Tech Bridge security company. Included were a low-risk path disclosure vulnerability (HTB22732) and two potential medium-risk XSS flaws (HTB22731 and HTB22733).
While the potential of compromise is low, and we are unaware of any instances of these exploits being used in the wild, we are happy to announce that all three exploits are fixed in our new 0.6.6 release.
In addition, the 0.6.6 release includes two fixes for bugs that existed in the Habari Silo plugin. Paths can now be created deeper than the root directory and the bug requiring users to FTP their first image to the server has been corrected.
Full release notes are available on our wiki here: Release 0.6.6
All users of the 0.6.5 release are encouraged to upgrade immediately to avoid any possible exploits. We anticipate releasing an updated 0.7 Developer Preview that incorporates the security fixes as well as numerous other improvements by early next week.
Update: Please note that the original zip file released as 0.6.6 had an incorrect version string that still identified it as 0.6.5. A new zip archive has been created and has replaced the prior one. If you've already installed the original version you may simply update
system/classes/version.php and replace '0.6.5' with '0.6.6'.
The Habari Project is incredibly security-conscious and relies on the community to quickly report any possible security exploits they find so we can evaluate and correct them as quickly as possible. If you believe you've found such an exploit, please contact email@example.com with details!