Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?
Category

Security

New spambot attack on PHPFusion v6 sites
During the last week is has become clear that there is a new wave of spambots registering on PHPFusion v6 sites. Especially sites that do not have member activation by administrators enabled may suffer from severe spamming in comments for news, photo's, custom pages, etc. It appears as if at least two different waves took place; the first possibly testing whether the bot script worked, the second doing most of the severe spamming. The first wave resulted in registrations with the name Wilfred_Detwistleton8005 and only few spam comments were left. The second wave used the name Walter_Rowbotham36c41 and I have seen sites with as few a zero spam comments, but also ones with over a hundred. Used email accounts were gmail accounts with a plausible sounding name (which did NOT reflect the chosen username) and with a few apparently random letters and numbers before @. Deleting the bot accounts will delete all spam comments. To prevent the spamming from happening you should enable member activation by admins or upgrade to v7 for a different captcha method. Perhaps some third party mods can also prevent the spam.
January 13 2009 2 minutes
PHPFusion v7.00.05 upgrade for v7.00.4
It's with pleasure that we announce the present upgrade package for PHPFusion v7. This package includes two minor vulnerabilities and a whole bunch of bug fixes and smaller improvements. Most bug fixes were already available through the SVN and, indeed, have already been distributed through some of the later core installation packages. The bug fixes themselves were not distributed in any of the upgrade packages earlier. The whole list of changed files is available in the Read More section. Please note that we have decided to add a leading '0' to the subversion number. This was done for future consitency in version numbering. The presently released packages are up to date with the present version of the SVN (1091) and the downloads on SourceForge have been updated. Upgrading is performed by unzipping the upgrade package, uploading the contents to your webserver and run the upgrade script from Admin Panel -> System Admin -> Upgrade. PHPFusion 7.00.05 Update - for 7.00.4 only (116K. PHPFusion 7.00.05 (2.7 M. UPDATE 13 January 2009: A small bug was found in viewpage.php and has been corrected. If users experience problems viewing custom pages, then it is likely you have the buggy version of viewpage.php. You should then re-download the update package and re-upload the file. Core packages with the version have a file stating they are based on SVN1089. The new version is based on SVN1091.
January 13 2009 9 minutes
Security update for PHPFusion 7.00.3 and 6.01.17
Another XSS vulnerability in messages.php has been reported and fixed. PHPFusion 7.00.4 Update - for 7.00.3 only (7Kb). PHPFusion 6.01.18 Update - for 6.01.17 only (6Kb). The full download pacakages on SourceForge have also been updated. Thanks to Nepster for the heads up!
December 29 2008 1 minute
Security update for PHPFusion 7.00.2 & 6.01.16
An exploit in submit.php was reported just before our recent downtime. It only affects servers with magic quotes disabled so risk is minimal. As always we have prepared an update which addresses the issue. The SVN and full download package have also been updated. PHPFusion 7.00.3 Update - for 7.00.2 (4.37K. PHPFusion 6.01.17 Update - for 6.01.16 (4K.
December 29 2008 1 minutes
Themes Site - Offline | Update: Online
Due to detected malicious hacking attempts directed at the themes site it will remain offline until further investigation can be completed. We thank you for your patience while we investigate! To calm everyone, this is not a PHPFusion flaw but the remains of the last attack which we were still analyzing and investigating. From my analysis to date it seems to have been a few nasty little scripts left behind that we missed when we cleaned up the account. Cheers Update: The themes site is now back online!
November 25 2008 1 minute
PHPFusion v6.01.16 - as promised...
For those of you who did not update to v7 yet, a SQL Injection vulnerability patch is available for v6.01.15. As usual - if you are running an earlier version of 6.01, you need to apply the previous updates before utilizing this patch. However, please note that this update is for v6 ONLY! PHPFusion 6.01.16 Update - for v6.01.15 only (1,58 K. Please refer to the previous news item for a patch for PHPFusion Core 7 Edition.
November 22 2008 1 minute
Security update for PHPFusion 7.00.1
We are happy to announce that the exploit in messages.php that was reported earlier today is now fixed. Also updated is search.php to cure a few niggles, but that was nothing serious. An update for v6 will follow soon. The SVN and full download package have also been updated. PHPFusion 7.00.2 Update - for 7.00.1 only (11K. UPDATE: A W3C validation error in messages.php has now been fixed.
November 21 2008 1 minute
Exploit in Private Message System reported
Today a exploit was reported in messages.php, the main file responsible for the Private Message System. It is been brought to attention of the developers and they will release a patch as soon as possible. If you want to be certain that your site will not be affected by this exploit you are advised to remove messages.php from your server until the patch has been released. Update: 12.53 GMT: This issue also applies to v6 versions of PHPFusion. It should be noted it will only be when magic_quotes is set to off (applies both to v6 and v7). Update: 13.10 GMT: According to Digitanium the risk is relatively low. PLEASE NOTE: The Private Message System has been disabled temporarily on this site, too.
November 21 2008 1 minutes
PHPFusion v6 - Mod Vulnerability Patch
The PHPFusion version 6 vulnerability was officially linked to an Advanced Search System modification from mFusion developed by Wooya. You can download a patch by PMM at the following link ( http://www.phpfusion-mods.com/ ) or you can download a patch by Wooya (which was just released) on the Polish site at the following URL ( http://www.php-fusion.pl/ ). Wooya: If you can please post your copy of the patch to the above URL on phpfusion-mods.com as well. As well earlier today there was an issue in the forums caused by a MySQL error. This was not a hack attempt but it was a server issue which has now been corrected. Cheers
November 14 2008 1 minutes
Once more: Update your site a.s.a.p.
Please be advised that the person(s) responsible for attacking the PHPFusion sites through the search vulnerability is still active, even though a fix is made available. The raw access logs from my own site, even though upgraded to v7.00.1, show five (5!) different attempts in the last 15 hours to inject data into the databse. As no rogue files or additional SA's were found, it is clear the new files have closed the vulnerability. Also check the news items below.
November 13 2008 1 minute
PHPFusion v6 Vulnerability Information
Hello all, A update on our efforts to find the issue with v6. Why it has taken us awhile to track it down is because the hack is targeted towards search.php as well in v6. However the affected regions in v7 are not in v6 unless you are using the Advanced Search System mod from mFusion. For those running this mod you need to get in touch with the author and or return it back to original v6 status. We will continue to research this issue. Please, also report HERE. Cheers
November 13 2008 1 minutes
Critical Security update for PHPFusion 7
Ok folks, as you know a security issue was reported yesterday. I and the dev team have been working on the issue and a fix is now available for v7. We have yet to discover v6's flaw at this time but we believe it may be a non core infusion. Anyway, v7 users, I have released a small update pack. Simply extract the files and overwrite your existing files. Then go to Upgrade in your Admin Panel and follow the prompts. The SVN and full download package have also been updated. PHPFusion 7.00.1 Update - for 7.00 only (15K. Note: We are still searching for the exact source of the v6 vulnerability.
November 11 2008 1 minutes
PHPFusion v6/v7 Vulnerability
We have recently come across a vulnerability in PHPFusion version 7 and PHPFusion v6.01.11+. As of right now what we know is that php files are being uploaded via php-fusion to your servers which then provides a back door to allow users to compromise not only your site but the server itself depending on configuration of the servers. What you can do: firstly check your downloads/attachments/forum attachments/avatars folders for .php files and delete them. Basically any folder chmodded 777 to allow users to upload files need to be chmodded back to 755 or to be more cautious to 644. As well check your list of administrators to see if you have any mysterious SA's. We will endeavour to keep everyone updated as we know it. We are currently working on a fix. A vulnerability has been detected in search.php, for now please delete it from your server. Join us on PHPFusion chat for progress and information updates. Please check your site footers and HTML areas, it seems this hack is also inserting URL's into peoples footers and other areas of the site to increase search engine rankings. Cheers
November 10 2008 2 minutes
PHP Fusion Site and Server Maintenance
Major server and site maintenance will be happening later tonight. We will be putting the site into maintenance mode and will also be working on the server. The site may be completely unreachable for a period of 30 minutes or so. Please do not panic. The maintenance should not take any longer than 1 hour. UPDATE: Maintenance Completed! - Avatars and Forum Attachments will be moved within the next 48 hours. Cheers
September 13 2008 1 minute
PHPFusion v6.01.15
A Secunia advisory has brought to my attention a SQL injection vulnerability - hence yet another patch is available. Simply download the update package, overwrite the affected files and click the upgrade button under System Admin - that should be it. As usual - if you are running an earlier version of 6.01.xx, you need to apply the previous updates before utilizing this patch. The full SourceForge package and the SVN have also been updated: PHPFusion 6.01.15 Update - for v6.01.14 only (3,86 K. PHPFusion 6.01.15 (2.04 M. I feel like repeating myself - lol... Please refer to Secunia.com for details.
April 21 2008 2 minutes