I have been alerted to some sql injection exploits in PHPFusion's private message system. The problem is that certain variables are not sanitised (don't blame me I didn't create it!). I've fixed it now, so it's all nicely secure now. The full package has been updated to include the fix. Existing users can grab the messages patch from the downloads area.

The recent img bbcode patchfixed one problem but it is still exploitable under certain conditions. I have been working on a long term solution and have created a more reliable fix. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. If you prefer to update the code yourself click Read More for instructions.

Two security flaws have recently been discovered in the bb code parsing by two of our users. Grindordie found that a user could virtually deface areas of the site that utilise the [color] tags. While this does not cause any harm it can be rather annoying. EasyEx's discovery is quite a troublesome one, an attacker can potentially delete items from your site using the [img] tags without anyone knowing. As usual I have produced the required fixes. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. Updated I've refined the code and updated the files. If you prefer to update the code yourself click Read More for instructions. Update 2 The original [img] bb code fix does not quite cure the problem, we have now come up with a better solution. The sourceforge and update files have been updated. Click read more to see the new code.

As you know a flaw was discovered recently which allows a malicious user to grab any db backup file created by PHPFusion. I have created a temporary solution whereby a random 8-character hash is added to the filename which should make it practically impossible to guess the filename. This is only temporary solution whilst the dev team come up with a long term solution. This fix has been added to the full download over at Sourceforge. Existing users can download the patched db-backup file from the Downloads area.

While I was away an xss exploit was uncovered in the news/article submission functions. The code I had produced to prevent the exploit was not quite right. This problem has now been rectified. Existing PHPFusion users can update using the v6.00.106 update pack. If you want to add the fix manaully you simply need to replace the descript() function in your maincore.php. The sourceforge file has been updated. Update: It seems we forgot to include the prune forum function, the code was in place but there is no prune button in the forum settings admin page. I've added the required fixes as per Rayxen's advice. Sorry about that. To update, simply upload the files contained in the zip and then click Upgrade under System Admin in your Admin Panel. Download v6.00.106 update (8Kb).