Updated: See the alternative fix below…
In the past 24 hours, I've received numerous panicked emails from dotProject users about the Cross -Site Scripting Vulnerability announced yesterday. True, it is something to be concerned about and it should be addressed. True, it could cause problems for some users.
Unforuntately, these same people seemed to have missed that this has been fixed since the first 2.1 release candidate which came out four months ago. This type of issue was identified to us prior to that time and concrete steps were applied to completely close holes such as this. I know because I helped apply those changes and have been heavily involved in encouraging people to upgrade as soon as possible. In fact, it was due to those security changes that the latest version of the Project Importer – released over a month ago – doesn't work with any version prior to the 2.1 Release Candidates.
Yes, we knew about these types of problems.
Yes, these types of holes have been closed across the entire core system.
Yes, you should upgrade to 2.1RC2.
Update: If you can't upgrade due to this being a "Release Candidate" instead of a full release, don't worry, there's another route if you are using Apache (est 90%+ of our community). You can apply the htaccess update released here last fall. This will disallow access to the affected files and will provide protection against these types of attacks. Ideally, you would apply this update with the upgrade.
All CaseySoftware dotProject hosting customers have had these fixes since they were applied to core… just before the first 2.1 Release Candidate. Which pushes our average identify-fix-patch cycle vs bug announce date even more negative. 😉