Oxwall 1.4.1 security release

Our users informed us about a possible security threat present in all Oxwall versions, including 1.4. We eliminated it and rolled out this unplanned security release. It contains:

  • User Role management security fix;
  • Prevention of possible XSS attacks in profile questions.

Please update to Oxwall 1.4.1, as soon as it’s available for automatic update in your admin area.

25 thoughts on “Oxwall 1.4.1 security release

  1. Anyone got the update already? I still didn’t get the link, and I’m not sure whether it’s due to a problem in my configuration.

  2. THANK YOU!!! I’ve been getting tons of fake accounts daily!!! This has been needed for a month now. I had to disable registration because of this security thing.

    • Yup, it took a while but eventually it appeared on Oct 12, thanks!

      The talk about fake registrations, it didn’t change anything about that for me either, just got a bunch of new ones today.

  3. This update just appeared for me, installed fine. But I am not sure exactly what it changed I was not aware of any security problems?

    • Fake accounts registration is not a security problem, but rather SPAM. We are aware that there are bots working to create fake account on various Oxwall-powered websites.

      You need to install antispam plugin and/or turn on mandatory user approve mode to manually let people in.

  4. not nice, i have 404 error when i trying to install this release from archive. also i can’t see any actual documentation inside of the package & i really don’t want to search bugs in code… not funny heh…

  5. This was nice, but there is still a ton of secuirty flaws. In a few older versions you introduced the system that said the admin (first member / super admin) could not be deleted. This is true via the Admin panel, but not the admin’s profile. There is still a delete button on my profile and I’m the super administration. What if one got our pass? They could easily delete us, and there couldn’t be NO way of accessing our Admin panel again!

    Plus, members need more verification with CAPTCHAS. Every so often, when they go to post a link, make a group, send a message we should make them occassionally insert a CAPTCHA to validate, they can then permantely remove CAPTCHAS when they Verify their profile through Text Message or Email code resend.

  6. mi website se callo cuando active el antispamer no se que hacer no reacciona ayudenme porfavor :(

Comments are closed.