Pastoid

 At the PHP|Tek conference, one of the speakers kindly revealed a security issue with current versions of Habari. In order to leverage this vulnerability, several things need to be true:
 
* an attacker needs to know your database username and password
* an attacker needs to know your database name
* you need to have the Habari source files online and publicly accessible
* you need to have NOT YET installed Habari into your database
 
If those four things are true, the attacker can sue the db_prefix field of the Habari installer to execute arbitrary SQL code.
 
This may seem esoteric, and of small consequence, but the Habari team prides itself on taking security seriously. We would hate for any users to experience any problems as a result of a vulnerability in our code, no matter how much of an outlier we might think an attack is.
 
We believe that the following code will fix the problem:
isset( $_POST['table_prefix'] ) && (preg_replace('%[^a-zA-Z_]%', '', $_POST['table_prefix']) == $_POST['table_prefix'])
 
That will be added to the installhandler.php file, and we'll prepare for a Habari 0.6.2 release. Our release guidelines state that we wait 48 hours after fixing a bug before releasing, to make sure folks in different time zones have an opportunity to review and test the proposed fix(es). If no new problems are introduced as a result of this fix, 0.6.2 will be packaged and released on Friday, May 22.