Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?

Bugs and Errors

3rd party infusion exploits
Recently several community users websites have been hacked, from what we can tell this is not due to PHPFusion Core exploits but due to infusions/mods that have exploits. Doing a bit of research we have found that the following website has some of them listed. If you use any infusions/mods other than official infusions from staff please make sure you review this list and either disable or update the affected infusions/mods. http://www.milw0rm.com/related.php?program=PHPFusion Cheers
October 07 2008 1 minute
Mantis Bug Tracker
Along with the release of the helpdesk system we are proud to announce the release of the Mantis Bug Tracking system. This system will allow users to report bugs, ask for feature requests which can be denied, accepted and allocated to certain version numbers like a roadmap. The only major downfall to a system like this is with the vast majority of users that we do have in the community duplicate bug reports are going to happen. What I ask from the community is simple, before posting your bug or feature request please search the system for it before and simply add your notes and information to the currently existing bug report. This will make it much easier for the dev crew to analyze issues. We dont want to be spending our time marking duplicate bug reports and closing them. So without further adue: http://mantis.php-fusion.co.uk/dev/ Update: Apparently its one of the Dev Staff's birthday... Happy Birthday to Wooya!
April 03 2008 2 minutes
Service release (6.01.9)
As we prepare to enter the first alpha phase of version 7, today I am releasing an update for version 6.01. The main emphasis of this update is to close a number of issues. For details of what has been updated click Read more. Although we are busy developing version 7 we remain committed to ensuring the version 6 is kept to a good standard and we will release further updates if necessary. Existing v6.01.8 users can download the file '6.01.9 Update for v6.01.8 and simply upload the included files and click upgrade under System Admin. if you are running an earlier version of 6.01.x you will first need to apply the previous updates first. The full sourceforge package has been updated. Credits: Forum and message bugs: BloodKiller. Other bugs discovered by various members. Thank you to everyone for continuing to help improve the quality of PHPFusion. PHPFusion 6.01.9 Update FOR V6.01.8 ONLY (24Kb). PHPFusion 6.01.9 (2.04Mb).
March 25 2007 3 minutes
Minor file update
A security team called fixed before hacked.com has recently informed me of a cross site exploit which can allow a malicious user to change a logged in user's profile caused by a hole in the file includes/update_profile_include.php. Don't panic though! as ever I have created a fix and you are encouraged to update your site. As this is a simple fix and I am rather busy with development I have opted not to release a patch. However, you can download the file from the cvs using the link below. The sourceforge download has been updated to include the fixed line. Thanks to Chislam for the information. Update: fixed a minor error, sorry for any inconvenience. Download update_profile_include.php View updated update_profile_include.php (File version 1.06).
November 18 2006 1 minutes
Couple of minor fixes
This morning I received information about an XSS exploit in the shoutbox. A user can plant malicious code via the shout_name field. Knowing my code, I immediatey knew the same trick can be done in comments. Two fixes then which are comments_include.php and shoutbox_panel.php. Existing v6.00.303 users can download the file '6.00.304 update for v6.00.303'. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Thanks to Ruyn for the heads up Feb 11 2006 @ 19:30 Update I've been informed of a weakness in the $srch_text variable in messages.php. I've added the updated file to the 304 patch and have updated the Sourceforge packages. Thanks to system_meltdown for letting me know. Download PHPFusion 6.00.304 Update for v6.00.303 (5Kb).
February 05 2006 2 minutes
Critical update - v6.00.303
Following the recent attack on a number of PHPFusion sites I have been looking for a possible exploit. Thanks to Jangus, we believe a user has been able to steal the site admins cookie by uploading avatars with malicious filenames. Having checked our avatar files I discovered a number of hacked images. Annoyingly these files cannot be deleted via ftp. All admins are advised to check the folder images/avatars for any strange filenames. You should contact your host and ask them to remove any affected files from the avatars folder. To combat this exploit, the following files have been updated: includes/update_profile_include.php and administration/updateuser.php. You should also change your password to be on the safe side. Existing v6.00.301/302 users can update using 6-00-303up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated to include this critical fix. Update: Thanks to skarecrow for confirming this serious exploit. Download PHPFusion 6.00.303 Update for v6.00.301/302 (7Kb).
January 11 2006 2 minutes
Patch to stop iframe insertion
A patch to stop the insertion of the malicious code in Settings Main is now available for download. All users running version 6.00.301 should update their sites. Alternatively you can view the changes in the cvs and update manually. Existing v6.00.301 users can update using 6-00-302up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated to include this critical fix. Download PHPFusion 6.00.302 Update for v6.00.301 (3Kb).
January 07 2006 1 minute
Messages struck by new exploit
A union exploit has been discovered in the $show variable in messages.php. This will only work if your server has magic_quotes turned off, so most users are safe. I strongly recommend that you update your messages.php immediately. You can download the file below or view the required changes in the cvs. The sourceforge files have been updated. We take security issues very seriously here at PHPFusion and are committed to releasing fixes as soon as possible. Download messages.php
December 31 2005 1 minute
Multiple vulnerabilities in PHPFusion 6
It's another bug hunt day for PHPFusion. I've recently been informed of three exploits, 2 of them major. members.php can be exploited by minipulating the $sortby variable via the url (fixed). There is a potential cross-site exploit in the $_POST['rating'] variable in ratings_include.php (fixed). Finally, the return of the [IMG] bbcode cross-site exploit in maincore.php, the system can be fooled into believing that a folder with a valid image extension is an image, this can be very serious if an admin were to view a message which contains this exploit. This one has had me studying for hours, it's a pig of a fix, but it's the best I can do. These issues also affects v6.00.2x, you can find the update info in the cvs. Existing v6.00.300 users can update using 6-00-301up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated with all of the above fixes. Download PHPFusion v6.00.301 update (24Kb).
December 21 2005 2 minutes
Latest problem with messages.php fixed.
A new concern has been reported in messages.php. This time it's a weakness in the search feature in which the url can be minipulated to create a SQL injection. Again, it's easily fixed and I have released a patch. I've also fixed a minor error in the move thread function of forum/options.php. It only arises if you move a thread from a forum that contains only one thread. The sourceforge archive has been updated. Existing 6.00.206 users: You can update your system by uploading the contents of the file 6-00-207up zip to your server, then click Upgrade under System Admin. If you prefer to add the fixes manually please refer the CVS Browser. Download v6.00.207 update (32Kb).
November 28 2005 1 minutes
Minor forum exploits patch
A few minor exploits have been identified in the forum files index.php, options.php and viewforum.php. I have fixed the reported problems and have released an update for existing users. The full download has been updated. You can find out what has been changed in the CVS Browser. Download forum fixes (6Kb).
November 19 2005 1 minutes
PHPFusion not MySQL 5 compatible
Once in a while a developer gets punished for programming habits. Well it's just happened to me, and the result is PHPFusion not being MySQL 5 compatible. Don't panic though, I do know where the problem lies (use of short inserts) and I will be updating all problematic MySQL inserts over the next few weeks. This issue should not affect main stream servers just yet, but of course I know some developers are using MySQL 5 on their own test servers.
November 17 2005 1 minute
Missing file in 204up
A quick note, whilst updating the 204up patch the file db-backup.php was accidently removed from the administration folder. This has been corrected. It does not affect the sourceforge download.
October 23 2005 1 minute