Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHPFusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their password reset using the Admin Password Reset page.
Affected PHPFusion versions: All PHPFusion v7.02.xx.
Details of the malfunction:
The malfunction was caused by improper implementation of the PasswordAuth class (/includes/classes/PasswordAuth.class.php) which handles login and admin passwords for all users in PHPFusion. The malfunction resulted in 1 out of 10 reset admins would have an empty login password which enabled the hacker to access the account using a random password of his or hers choosing.
Our recommandation:
Until PHPFusion v7.02.03 is release we discourage all use of the Admin Password Reset page. It is however not possible to exploit this problem without first using the Admin Password Reset. If you have used this we encourage you to change your passwords manually.
More information will continuously be available on the Development Site as well as patched files. In the mean time you can send your questions directly to Hans Kristian Flaatten, Development Team Leader.
We have just been informed about a very serious MySQL injections in the latest version of PHPFusion v6, PHPFusion v7 is perfectly safe and this injection do not harm any sites running PHPFusion v7 only those still using PHPFusion v6. The new package includes a fix for the MySQL vulnerability in members_poll_panel.php as described in this thread.
The presently released packages are up to date with the present version of the SVN (1423) and the downloads on SourceForge have been updated.
Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade.
PHPFusion 6.01.19 Update - for 6.01.18 only (3.1 K.
PHPFusion 6.01.19 (2.2 M.
PHPFusion v6 is no longer developed and we suggest everyone having a site using PHPFusion v6 to upgrade to PHPFusion v7 for a better experience and security!
Credits:
Thanks a lot to our users; smokeman, for detecting and reporting on this vulnerability, and slaughter for helping providing a fix for it.