mojoPortal 2.1.8 is now available from the download page.
This release has an important fix for a security vulnerability so I recommend for everyone to upgrade as soon as possible. It is a very easy upgrade from version 2.1.7, all you need to do is replace the mojoPortal.Web.dll in the bin folder with the one from the new release.
Thanks to Cemalettin Polat for reporting this issue. The problem was that in FCKeditor by default the link dialog window launched from the toolbar includes functionality that allows uploading files and browsing of some folders on the server. This should not be allowed on the Contact Form and the Blog Comments form because these are available to anonymous users. I have disabled this in the new release. I also disabled this in the ForumPostEdit.aspx page for users who are not in the Admins or Content Admins role.
Additionally this release fixes another bug that only happens when running under Medium trust, there was an error being raised on the Registration page when running under Medium trust and this would prevent new users from registering. Thanks to Anand Narayanaswamy for reporting this issue.
Update: I just noticed that the security issue also existed in the 1.04 Mono version of mojoPortal. I have corrected the problem and released version 1.0.5. Again, it is only the mojoPortal.Web.dll that needs to be replaced to upgrade from 1.0.4 to 1.0.5
Tuesday, December 19, 2006 3:18:19 AM