The Apache Software Foundation released a new version of Shindig, a framework for Web applications yesterday, fixing what the collective has deemed an important information disclosure vulnerability.

According to a post on by Ryan Baxter, an Apache Shindig committer, the problem affects the PHP version of Shindig 2.5.0 and deals with the software’s gadget renderer. The renderer is open to an XML Eternal Entity (XXE) Injection vulnerability, which according to the OWASP Foundation is a vulnerability wherein an external entity that contains tainted data can lead to the disclosure of sensitive information and other system impacts.

In this case the vulnerability, discovered by Japanese software developer Kousuke Ebihara, “allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe.”

Developers are being encouraged to update to Shindig’s most recent General Availability Release, 2.5.0-update1, to address the issue. Since those with PHP implementations of Shindig are definitely going to want to download the update they’ll need to have a Web server for the PHP version installed in order to proceed with the download or in other cases, a Servlet container for the Java version.

Like other Apache software, Shindig is an open source project and a JavaScript container that allows users to host OpenSocial apps on their sites. While originally developed by Google, Shindig has fallen under the Apache umbrella since 2007.

The update is Shindig’s first since August but Apache’s second in the last week. Late last week an update to the group’s Struts framework patched two important vulnerabilities.

Categories: Web Security

Comment (1)

  1. Vivian

    You cannot expect a top quality service for free so I would always recommend going for one of the top
    companies like Bluehost, Host – Gator etc. The top three niches are weight loss, relationships and how to make money online.
    Internet reviews, articles and rating keep recommending new entrants
    in the World Wide Web to pick an old web host.

    Feel free to visit my weblog; domain Hostgator

Comments are closed.