First, another problem on the English download page: the <meta
name="description"/> tag on <http://www.spip.net/en_download> contains
"$$version_stable$$" and "$$version_stable_date$$". Perhaps a script that
should be replacing these values is broken?
Thanks, this is solved by [22731] on spip-zone
Second, I've just encountered a possible security flaw in SPIP. I installed
SPIP 1.9.2e on a server but had to move on to something else before
beginning that project. I've come back to it today to find that someone has
attempted to inject a link to baidu, possibly through #SPIP_CRON.The home page of the site contained:
<!-- SPIP-CRON --><div style="background-image:
url('http://www.baidu.comhttp://www.baidu.com/spip.php?action=cron’);"></div>
Yes I know this problem, which happens when your site responds to
something like http://yoursite/spip.php?http//othersite/anthing ; then
if an include is comouted at that hit, it might contain
http//othersite/ where otherwise it would have had #SELF, and then
this wrong cache can be served to a normal url afterwards.
I haven't been able to solve it, but clearly there is something to do.
-- Fil