Well the title says it all, but I don’t think this is a reason for anyone to have a heart attack, aside from me but I’m recovered now 😉
As the release has only been out <24 hours I doubt there are many production sites running on the vulnerable code, but if you were svn updating a live site, a very bad practice by the way, then svn up again 😉
The problem: very simple, some recent code we introduced to merge, compress and cache CSS and js files was accepting arbitrary paths from GET – ouch. The checking is now much more stringent.
Thanks to the gentleman over at milw0rm.com who posted the flaw less than 24hrs after the release went out. While he didn’t inform me or anyone I know of, Google alerts notified me of his announcement. In my view this is open source (with a little help from Google) working at its best.
Finally, please note that the title of the exploit article is inaccurate, it claims versions <= 0.6.3 are affected, this is not true, the affected optimizer.php file was only introduced in 0.6.3.