Version 10.0.28 has now been released. This version is a patch release that fixes 3 vulnerabilities and fixes some bugs. Upgrading to this release is strongly advised due to security fixes.

To upgrade follow the steps in your website's http://mybaseurl/upgrader.php script. You will need to copy the URL of the attached file (created via the form below) during step 3.



The following security issues have been fixed since version 10.0.27…

• Information leak on IIS [core]
• XSS vulnerability via mime sniffing on .dat files [core]
• Illicit stats access vulnerability via direct URL access [stats]

The following other changes have been made since version 10.0.27…

• Error completing location CPFs if some were deleted [core]
• Downloader engine fixes:
  • HTTP implementation bugs [core]
  • Fix to a particularly quirky server's OpenSSL install
  • Fix error if download stream fails immediately after checking it has not
• Importer fixes:
  • Issues with vBulletin importing [import]
  • Various import fixes and cleanups
  • Various fixes to very broken import timeout refresher
  • Recent patch release broke importing from site with non-blank password; also tidy up what POST fields are relayed
• Permission fixing script fixes:
  • Git hook permissions may not be set well after switching branches [linux_helper_scripts]
  • Fixed various issues with fixperms.sh script, especially performance issue running on compo.sr
  • We need to correct permissions to 644 under uploads too
• Thumbnail fixes
• Fix ModSecurity workaround for zone editor
• Fix issues/ugliness with some Sitemap rep-image generation
• Fix condition trying to make a deleted catalogue a tree-based one
• Fixed issues with date submission using HTML5
• Tweaks to get_default_option, inspired by automated error mail
• Demonstratr fixes:
  • Fix Sitemap error on Demonstratr / Fix sitemap generation for Comcode pages on Demonstratr [core_comcode_pages]
  • Fix theme-wizard clone theme error on Demonstratr