Security alert: SQL Injection attack for StatusNet 1.0.x and 1.1.x

Evan Prodromou's picture

Thanks to Elly Fong-Jones for identifying, and Joshua Wise for fixing, a potential SQL injection attack on all versions of StatusNet after 1.0.0. The vulnerable code is in the section that provides user lists; an attacker can extract unauthorized information from the database by crafting a particular tag format.

New versions of StatusNet have been released that include a patch to fix these errors:

  • StatusNet 1.1.1 is recommended for all installations. It includes a fix for this SQL injection, additional fixes for potential (but not actual) injection errors. It also includes bug fixes for other issues.
  • StatusNet 1.0.2 is recommended for StatusNet 1.0.0 and 1.0.1 users who aren't ready to upgrade to 1.1.1. It includes only the SQL injection fixes.


Post new comment

Please note that blog comments are not monitored by our support staff. If you need assistance please visit our forums at or see the Support page for other options.
The content of this field is kept private and will not be shown publicly.
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.