Demian Turner has posted about the latest version of the Seagull framework (0.6.3) and an update to correct a remote file disclosure issue (up to version 0.6.4).

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3 (0.6.4). Things have been keeping pretty busy with the startup I'm working on, but it's been a great opportunity to refine some features of the framework and optimize the performance. The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The update is a different download that helps correct an issue with the framework allowing user-inputted values from the GET string. Be sure and update your version to keep this security issue under wraps.

According to this advisory on the FrSIRT website, users of the P-News package have two somethings to worry about - a file upload and remote information disclosure vulnerability.

Multiple vulnerabilities have been identified in P-News, which could be exploited by remote attackers to compromise a vulnerable server or disclose sensitive information.

The file upload issue has to do with the ability to upload an Avatar to the system that doesn't validate the file extension and the second is a design flaw for the location of the user information (a text file) inside the document root.

Unfortunately, so official patch has been supplied at this time, but a few quick edits to the code can make these issues go away.