Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?
Category

Security

Admin Password Reset Malfunction
Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHPFusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their password reset using the Admin Password Reset page. Affected PHPFusion versions: All PHPFusion v7.02.xx. Details of the malfunction: The malfunction was caused by improper implementation of the PasswordAuth class (/includes/classes/PasswordAuth.class.php) which handles login and admin passwords for all users in PHPFusion. The malfunction resulted in 1 out of 10 reset admins would have an empty login password which enabled the hacker to access the account using a random password of his or hers choosing. Our recommandation: Until PHPFusion v7.02.03 is release we discourage all use of the Admin Password Reset page. It is however not possible to exploit this problem without first using the Admin Password Reset. If you have used this we encourage you to change your passwords manually. More information will continuously be available on the Development Site as well as patched files. In the mean time you can send your questions directly to Hans Kristian Flaatten, Development Team Leader.
S
May 30 2011 2 minutes
PHPFusion v6.01.19 upgrade for v6.01.18
We have just been informed about a very serious MySQL injections in the latest version of PHPFusion v6, PHPFusion v7 is perfectly safe and this injection do not harm any sites running PHPFusion v7 only those still using PHPFusion v6. The new package includes a fix for the MySQL vulnerability in members_poll_panel.php as described in this thread. The presently released packages are up to date with the present version of the SVN (1423) and the downloads on SourceForge have been updated. Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade. PHPFusion 6.01.19 Update - for 6.01.18 only (3.1 K. PHPFusion 6.01.19 (2.2 M. PHPFusion v6 is no longer developed and we suggest everyone having a site using PHPFusion v6 to upgrade to PHPFusion v7 for a better experience and security! Credits: Thanks a lot to our users; smokeman, for detecting and reporting on this vulnerability, and slaughter for helping providing a fix for it.
November 28 2009 3 minutes
New spambot attack on PHPFusion v6 sites
During the last week is has become clear that there is a new wave of spambots registering on PHPFusion v6 sites. Especially sites that do not have member activation by administrators enabled may suffer from severe spamming in comments for news, photo's, custom pages, etc. It appears as if at least two different waves took place; the first possibly testing whether the bot script worked, the second doing most of the severe spamming. The first wave resulted in registrations with the name Wilfred_Detwistleton8005 and only few spam comments were left. The second wave used the name Walter_Rowbotham36c41 and I have seen sites with as few a zero spam comments, but also ones with over a hundred. Used email accounts were gmail accounts with a plausible sounding name (which did NOT reflect the chosen username) and with a few apparently random letters and numbers before @. Deleting the bot accounts will delete all spam comments. To prevent the spamming from happening you should enable member activation by admins or upgrade to v7 for a different captcha method. Perhaps some third party mods can also prevent the spam.
January 13 2009 2 minutes
PHPFusion v7.00.05 upgrade for v7.00.4
It's with pleasure that we announce the present upgrade package for PHPFusion v7. This package includes two minor vulnerabilities and a whole bunch of bug fixes and smaller improvements. Most bug fixes were already available through the SVN and, indeed, have already been distributed through some of the later core installation packages. The bug fixes themselves were not distributed in any of the upgrade packages earlier. The whole list of changed files is available in the Read More section. Please note that we have decided to add a leading '0' to the subversion number. This was done for future consitency in version numbering. The presently released packages are up to date with the present version of the SVN (1091) and the downloads on SourceForge have been updated. Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade. PHPFusion 7.00.05 Update - for 7.00.4 only (116K. PHPFusion 7.00.05 (2.7 M. UPDATE 13 January 2009: A small bug was found in viewpage.php and has been corrected. If users experience problems viewing custom pages, then it is likely you have the buggy version of viewpage.php. You should then re-download the update package and re-upload the file. Core packages with the version have a file stating they are based on SVN1089. The new version is based on SVN1091.
January 13 2009 9 minutes
Security update for PHPFusion 7.00.3 and 6.01.17
Another XSS vulnerability in messages.php has been reported and fixed. PHPFusion 7.00.4 Update - for 7.00.3 only (7Kb). PHPFusion 6.01.18 Update - for 6.01.17 only (6Kb). The full download pacakages on SourceForge have also been updated. Thanks to Nepster for the heads up!
December 29 2008 1 minute
Security update for PHPFusion 7.00.2 & 6.01.16
An exploit in submit.php was reported just before our recent downtime. It only affects servers with magic quotes disabled so risk is minimal. As always we have prepared an update which addresses the issue. The SVN and full download package have also been updated. PHPFusion 7.00.3 Update - for 7.00.2 (4.37K. PHPFusion 6.01.17 Update - for 6.01.16 (4K.
December 29 2008 1 minutes
Themes Site - Offline | Update: Online
Due to detected malicious hacking attempts directed at the themes site it will remain offline until further investigation can be completed. We thank you for your patience while we investigate! To calm everyone, this is not a PHPFusion flaw but the remains of the last attack which we were still analyzing and investigating. From my analysis to date it seems to have been a few nasty little scripts left behind that we missed when we cleaned up the account. Cheers Update: The themes site is now back online!
November 25 2008 1 minute
PHPFusion v6.01.16 - as promised...
For those of you who did not update to v7 yet, a SQL Injection vulnerability patch is available for v6.01.15. As usual - if you are running an earlier version of 6.01, you need to apply the previous updates before utilizing this patch. However, please note that this update is for v6 ONLY! PHPFusion 6.01.16 Update - for v6.01.15 only (1,58 K. Please refer to the previous news item for a patch for PHPFusion Core 7 Edition.
November 22 2008 1 minute
Security update for PHPFusion 7.00.1
We are happy to announce that the exploit in messages.php that was reported earlier today is now fixed. Also updated is search.php to cure a few niggles, but that was nothing serious. An update for v6 will follow soon. The SVN and full download package have also been updated. PHPFusion 7.00.2 Update - for 7.00.1 only (11K. UPDATE: A W3C validation error in messages.php has now been fixed.
November 21 2008 1 minute
Exploit in Private Message System reported
Today a exploit was reported in messages.php, the main file responsible for the Private Message System. It is been brought to attention of the developers and they will release a patch as soon as possible. If you want to be certain that your site will not be affected by this exploit you are advised to remove messages.php from your server until the patch has been released. Update: 12.53 GMT: This issue also applies to v6 versions of PHPFusion. It should be noted it will only be when magic_quotes is set to off (applies both to v6 and v7). Update: 13.10 GMT: According to Digitanium the risk is relatively low. PLEASE NOTE: The Private Message System has been disabled temporarily on this site, too.
November 21 2008 1 minutes
PHPFusion v6 - Mod Vulnerability Patch
The PHPFusion version 6 vulnerability was officially linked to an Advanced Search System modification from mFusion developed by Wooya. You can download a patch by PMM at the following link ( http://www.phpfusion-mods.com/ ) or you can download a patch by Wooya (which was just released) on the Polish site at the following URL ( http://www.php-fusion.pl/ ). Wooya: If you can please post your copy of the patch to the above URL on phpfusion-mods.com as well. As well earlier today there was an issue in the forums caused by a MySQL error. This was not a hack attempt but it was a server issue which has now been corrected. Cheers
November 14 2008 1 minutes
Once more: Update your site a.s.a.p.
Please be advised that the person(s) responsible for attacking the PHPFusion sites through the search vulnerability is still active, even though a fix is made available. The raw access logs from my own site, even though upgraded to v7.00.1, show five (5!) different attempts in the last 15 hours to inject data into the databse. As no rogue files or additional SA's were found, it is clear the new files have closed the vulnerability. Also check the news items below.
November 13 2008 1 minute
PHPFusion v6 Vulnerability Information
Hello all, A update on our efforts to find the issue with v6. Why it has taken us awhile to track it down is because the hack is targeted towards search.php as well in v6. However the affected regions in v7 are not in v6 unless you are using the Advanced Search System mod from mFusion. For those running this mod you need to get in touch with the author and or return it back to original v6 status. We will continue to research this issue. Please, also report HERE. Cheers
November 13 2008 1 minutes