Dear Campsite users,
In
recent days various reports have appeared on security-oriented websites
such as vupen.com, securityfocus.com and Spamfighter.com regarding
Campsite's vulnerability to cross-site scripting attacks.Because we take security very seriously, these reports were alarming to us too.
However,
the reports focus on a vulnerability that has been documented for a while now by the PHP development team, and is not in Campsite itself, but is a setting
for the PHP programming language, not necessarily in Campsite. It is a
setting in the document php.ini, called register_globals, and our recommendation is that it should
always be set to 'off.'The Campsite manual explicitly warns users about this:
http://manual.campware.org/manuals/campsite/3.3/index.php?id 0
To make this even clearer, as of the next Campsite release (3.3.2), the installation process will warn users about this setting during install, telling them that the recommended value for register_globals is OFF to avoid big security holes.While
we appreciate having people point out security holes to us (and please keep
those bug reports coming!), we wish there was a way that the security
sites would also acknowledge when such vulnerabilities are resolved. Unfortunately,
there doesn't seem to be such a way right now, except to try to address
it directly via the Campware site and mailing lists.
Best regards,The Campsite team