This 2.4.2 release fixes a file include vulnerability that allowed
users who are logged into citrus to load other php files from the
server. It also adds some minor features.
- fixes file include vulnerablity
- adds a tool to show the pending creditcard refunds
- adds script that can email custom
There is a vulnerability in citrus that can be patched by adding a
preg filter around line 99 of the index.php file that will prevent the
php file inclusion vulnerability. This vulnerability is only
exploitable to users already logged into citrus.
http://bazaar.launchpad.net/~paul-citrusdb/citrus