From LifeType Wiki
Contents |
Release notes for Lifetype 1.2.11
Description
Lifetype 1.2.11 is mostly a security release in the 1.2 series, though there are a handful of bug fixes as well.
Security fix #1: In versions of LifeType prior to 1.2.11, there is a cross-site request forgery bug, where mischievous visitors can trick LifeType administrators into viewing certain web pages, and modify their blog. A new plugin, named CSRF has been created to combat this problem. This plugin (unlike regular plugins) does not work for any LifeType 1.2.x release, but only works for releases 1.2.11+. This plugin comes installed by default. See the forum message for a further explanation on some workarounds and issues with this new security model.
Security fix #2: The LifeType team was notified of a Cross site scripting vulnerability which allows a malicious visitor of the blog to put a malformed referer header into the database, which would then be executed when a blog administrator views the statistics pages in the administration interface. Once you have updated to 1.2.11 or later, you are safe from previous and future attacks.
Download
These are the links to the full Lifetype 1.2.11 packages:
If upgrading from Lifetype 1.2.10, there are packages available which only include new or modified files and will allow you to upgrade from Lifetype 1.2.10 only. These packages can not be used to upgrade from 1.1.x or any other 1.2.x release:
Lifetype upgrade package from 1.2.10 (.tgz)
Lifetype upgrade package from 1.2.10 (.zip)
Important notes
NOTE: If you are still running php4, make sure to check out this bug report to avoid a menutabs error in the administration section.
New features
Tiny MCE was upgraded to the latest release, and our plugins were upgraded to work with the latest browsers.
Issues fixed
Template Editor plugin had a problem in Internet Explorer
Some custom URL changes, see the link below for more details if anything is broken on your blog after upgrading.
