Last night Twitter buzzed up with a set of "exploits" for ocPortal, published without fore-notice by an Iranian student hacker.
The "exploits" all target the ocPortal installer, which ocPortal actually will not allow you to leave enabled after you've installed your site – for security reasons. On further review we have not been able to reproduce any of the listed exploits, or find any serious problem during code analysis.
The only issue we were able to find was the ability for a hacker read any file named licence.txt out of a directory of their choice, if you left the installer in place prior to finishing the installation of your website. This issue will be resolved in the next release.
Response to published ocPortal "exploits" [updated]