The Apache Software Foundation released a new version of Shindig, a framework for Web applications yesterday, fixing what the collective has deemed an important information disclosure vulnerability.
According to a post on Seclists.org by Ryan Baxter, an Apache Shindig committer, the problem affects the PHP version of Shindig 2.5.0 and deals with the software’s gadget renderer. The renderer is open to an XML Eternal Entity (XXE) Injection vulnerability, which according to the OWASP Foundation is a vulnerability wherein an external entity that contains tainted data can lead to the disclosure of sensitive information and other system impacts.
In this case the vulnerability, discovered by Japanese software developer Kousuke Ebihara, “allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe.”
Developers are being encouraged to update to Shindig’s most recent General Availability Release, 2.5.0-update1, to address the issue. Since those with PHP implementations of Shindig are definitely going to want to download the update they’ll need to have a Web server for the PHP version installed in order to proceed with the download or in other cases, a Servlet container for the Java version.
The update is Shindig’s first since August but Apache’s second in the last week. Late last week an update to the group’s Struts framework patched two important vulnerabilities.