We have just been informed about a very serious MySQL injections in the latest version of PHPFusion v6, PHPFusion v7 is perfectly safe and this injection do not harm any sites running PHPFusion v7 only those still using PHPFusion v6. The new package includes a fix for the MySQL vulnerability in members_poll_panel.php as described in this thread. The presently released packages are up to date with the present version of the SVN (1423) and the downloads on SourceForge have been updated. Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade. PHPFusion 6.01.19 Update - for 6.01.18 only (3.1 K. PHPFusion 6.01.19 (2.2 M. PHPFusion v6 is no longer developed and we suggest everyone having a site using PHPFusion v6 to upgrade to PHPFusion v7 for a better experience and security! Credits: Thanks a lot to our users; smokeman, for detecting and reporting on this vulnerability, and slaughter for helping providing a fix for it.

During the last week is has become clear that there is a new wave of spambots registering on PHPFusion v6 sites. Especially sites that do not have member activation by administrators enabled may suffer from severe spamming in comments for news, photo's, custom pages, etc. It appears as if at least two different waves took place; the first possibly testing whether the bot script worked, the second doing most of the severe spamming. The first wave resulted in registrations with the name Wilfred_Detwistleton8005 and only few spam comments were left. The second wave used the name Walter_Rowbotham36c41 and I have seen sites with as few a zero spam comments, but also ones with over a hundred. Used email accounts were gmail accounts with a plausible sounding name (which did NOT reflect the chosen username) and with a few apparently random letters and numbers before @. Deleting the bot accounts will delete all spam comments. To prevent the spamming from happening you should enable member activation by admins or upgrade to v7 for a different captcha method. Perhaps some third party mods can also prevent the spam.

It's with pleasure that we announce the present upgrade package for PHPFusion v7. This package includes two minor vulnerabilities and a whole bunch of bug fixes and smaller improvements. Most bug fixes were already available through the SVN and, indeed, have already been distributed through some of the later core installation packages. The bug fixes themselves were not distributed in any of the upgrade packages earlier. The whole list of changed files is available in the Read More section. Please note that we have decided to add a leading '0' to the subversion number. This was done for future consitency in version numbering. The presently released packages are up to date with the present version of the SVN (1091) and the downloads on SourceForge have been updated. Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade. PHPFusion 7.00.05 Update - for 7.00.4 only (116K. PHPFusion 7.00.05 (2.7 M. UPDATE 13 January 2009: A small bug was found in viewpage.php and has been corrected. If users experience problems viewing custom pages, then it is likely you have the buggy version of viewpage.php. You should then re-download the update package and re-upload the file. Core packages with the version have a file stating they are based on SVN1089. The new version is based on SVN1091.

Another XSS vulnerability in messages.php has been reported and fixed. PHPFusion 7.00.4 Update - for 7.00.3 only (7Kb). PHPFusion 6.01.18 Update - for 6.01.17 only (6Kb). The full download pacakages on SourceForge have also been updated. Thanks to Nepster for the heads up!

An exploit in submit.php was reported just before our recent downtime. It only affects servers with magic quotes disabled so risk is minimal. As always we have prepared an update which addresses the issue. The SVN and full download package have also been updated. PHPFusion 7.00.3 Update - for 7.00.2 (4.37K. PHPFusion 6.01.17 Update - for 6.01.16 (4K.

Due to detected malicious hacking attempts directed at the themes site it will remain offline until further investigation can be completed. We thank you for your patience while we investigate! To calm everyone, this is not a PHPFusion flaw but the remains of the last attack which we were still analyzing and investigating. From my analysis to date it seems to have been a few nasty little scripts left behind that we missed when we cleaned up the account. Cheers Update: The themes site is now back online!

For those of you who did not update to v7 yet, a SQL Injection vulnerability patch is available for v6.01.15. As usual - if you are running an earlier version of 6.01, you need to apply the previous updates before utilizing this patch. However, please note that this update is for v6 ONLY! PHPFusion 6.01.16 Update - for v6.01.15 only (1,58 K. Please refer to the previous news item for a patch for PHPFusion Core 7 Edition.

We are happy to announce that the exploit in messages.php that was reported earlier today is now fixed. Also updated is search.php to cure a few niggles, but that was nothing serious. An update for v6 will follow soon. The SVN and full download package have also been updated. PHPFusion 7.00.2 Update - for 7.00.1 only (11K. UPDATE: A W3C validation error in messages.php has now been fixed.

Today a exploit was reported in messages.php, the main file responsible for the Private Message System. It is been brought to attention of the developers and they will release a patch as soon as possible. If you want to be certain that your site will not be affected by this exploit you are advised to remove messages.php from your server until the patch has been released. Update: 12.53 GMT: This issue also applies to v6 versions of PHPFusion. It should be noted it will only be when magic_quotes is set to off (applies both to v6 and v7). Update: 13.10 GMT: According to Digitanium the risk is relatively low. PLEASE NOTE: The Private Message System has been disabled temporarily on this site, too.

The PHPFusion version 6 vulnerability was officially linked to an Advanced Search System modification from mFusion developed by Wooya. You can download a patch by PMM at the following link ( http://www.phpfusion-mods.com/ ) or you can download a patch by Wooya (which was just released) on the Polish site at the following URL ( http://www.php-fusion.pl/ ). Wooya: If you can please post your copy of the patch to the above URL on phpfusion-mods.com as well. As well earlier today there was an issue in the forums caused by a MySQL error. This was not a hack attempt but it was a server issue which has now been corrected. Cheers

Please be advised that the person(s) responsible for attacking the PHPFusion sites through the search vulnerability is still active, even though a fix is made available. The raw access logs from my own site, even though upgraded to v7.00.1, show five (5!) different attempts in the last 15 hours to inject data into the databse. As no rogue files or additional SA's were found, it is clear the new files have closed the vulnerability. Also check the news items below.

Hello all, A update on our efforts to find the issue with v6. Why it has taken us awhile to track it down is because the hack is targeted towards search.php as well in v6. However the affected regions in v7 are not in v6 unless you are using the Advanced Search System mod from mFusion. For those running this mod you need to get in touch with the author and or return it back to original v6 status. We will continue to research this issue. Please, also report HERE. Cheers