Along with the release of the helpdesk system we are proud to announce the release of the Mantis Bug Tracking system. This system will allow users to report bugs, ask for feature requests which can be denied, accepted and allocated to certain version numbers like a roadmap. The only major downfall to a system like this is with the vast majority of users that we do have in the community duplicate bug reports are going to happen. What I ask from the community is simple, before posting your bug or feature request please search the system for it before and simply add your notes and information to the currently existing bug report. This will make it much easier for the dev crew to analyze issues. We dont want to be spending our time marking duplicate bug reports and closing them. So without further adue: http://mantis.php-fusion.co.uk/dev/ Update: Apparently its one of the Dev Staff's birthday... Happy Birthday to Wooya!

As we prepare to enter the first alpha phase of version 7, today I am releasing an update for version 6.01. The main emphasis of this update is to close a number of issues. For details of what has been updated click Read more. Although we are busy developing version 7 we remain committed to ensuring the version 6 is kept to a good standard and we will release further updates if necessary. Existing v6.01.8 users can download the file '6.01.9 Update for v6.01.8 and simply upload the included files and click upgrade under System Admin. if you are running an earlier version of 6.01.x you will first need to apply the previous updates first. The full sourceforge package has been updated. Credits: Forum and message bugs: BloodKiller. Other bugs discovered by various members. Thank you to everyone for continuing to help improve the quality of PHPFusion. PHPFusion 6.01.9 Update FOR V6.01.8 ONLY (24Kb). PHPFusion 6.01.9 (2.04Mb).

A security team called fixed before hacked.com has recently informed me of a cross site exploit which can allow a malicious user to change a logged in user's profile caused by a hole in the file includes/update_profile_include.php. Don't panic though! as ever I have created a fix and you are encouraged to update your site. As this is a simple fix and I am rather busy with development I have opted not to release a patch. However, you can download the file from the cvs using the link below. The sourceforge download has been updated to include the fixed line. Thanks to Chislam for the information. Update: fixed a minor error, sorry for any inconvenience. Download update_profile_include.php View updated update_profile_include.php (File version 1.06).

This morning I received information about an XSS exploit in the shoutbox. A user can plant malicious code via the shout_name field. Knowing my code, I immediatey knew the same trick can be done in comments. Two fixes then which are comments_include.php and shoutbox_panel.php. Existing v6.00.303 users can download the file '6.00.304 update for v6.00.303'. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Thanks to Ruyn for the heads up Feb 11 2006 @ 19:30 Update I've been informed of a weakness in the $srch_text variable in messages.php. I've added the updated file to the 304 patch and have updated the Sourceforge packages. Thanks to system_meltdown for letting me know. Download PHPFusion 6.00.304 Update for v6.00.303 (5Kb).

Following the recent attack on a number of PHPFusion sites I have been looking for a possible exploit. Thanks to Jangus, we believe a user has been able to steal the site admins cookie by uploading avatars with malicious filenames. Having checked our avatar files I discovered a number of hacked images. Annoyingly these files cannot be deleted via ftp. All admins are advised to check the folder images/avatars for any strange filenames. You should contact your host and ask them to remove any affected files from the avatars folder. To combat this exploit, the following files have been updated: includes/update_profile_include.php and administration/updateuser.php. You should also change your password to be on the safe side. Existing v6.00.301/302 users can update using 6-00-303up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated to include this critical fix. Update: Thanks to skarecrow for confirming this serious exploit. Download PHPFusion 6.00.303 Update for v6.00.301/302 (7Kb).

A patch to stop the insertion of the malicious code in Settings Main is now available for download. All users running version 6.00.301 should update their sites. Alternatively you can view the changes in the cvs and update manually. Existing v6.00.301 users can update using 6-00-302up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated to include this critical fix. Download PHPFusion 6.00.302 Update for v6.00.301 (3Kb).

A union exploit has been discovered in the $show variable in messages.php. This will only work if your server has magic_quotes turned off, so most users are safe. I strongly recommend that you update your messages.php immediately. You can download the file below or view the required changes in the cvs. The sourceforge files have been updated. We take security issues very seriously here at PHPFusion and are committed to releasing fixes as soon as possible. Download messages.php

It's another bug hunt day for PHPFusion. I've recently been informed of three exploits, 2 of them major. members.php can be exploited by minipulating the $sortby variable via the url (fixed). There is a potential cross-site exploit in the $_POST['rating'] variable in ratings_include.php (fixed). Finally, the return of the [IMG] bbcode cross-site exploit in maincore.php, the system can be fooled into believing that a folder with a valid image extension is an image, this can be very serious if an admin were to view a message which contains this exploit. This one has had me studying for hours, it's a pig of a fix, but it's the best I can do. These issues also affects v6.00.2x, you can find the update info in the cvs. Existing v6.00.300 users can update using 6-00-301up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated with all of the above fixes. Download PHPFusion v6.00.301 update (24Kb).

A new concern has been reported in messages.php. This time it's a weakness in the search feature in which the url can be minipulated to create a SQL injection. Again, it's easily fixed and I have released a patch. I've also fixed a minor error in the move thread function of forum/options.php. It only arises if you move a thread from a forum that contains only one thread. The sourceforge archive has been updated. Existing 6.00.206 users: You can update your system by uploading the contents of the file 6-00-207up zip to your server, then click Upgrade under System Admin. If you prefer to add the fixes manually please refer the CVS Browser. Download v6.00.207 update (32Kb).

A few minor exploits have been identified in the forum files index.php, options.php and viewforum.php. I have fixed the reported problems and have released an update for existing users. The full download has been updated. You can find out what has been changed in the CVS Browser. Download forum fixes (6Kb).

Once in a while a developer gets punished for programming habits. Well it's just happened to me, and the result is PHPFusion not being MySQL 5 compatible. Don't panic though, I do know where the problem lies (use of short inserts) and I will be updating all problematic MySQL inserts over the next few weeks. This issue should not affect main stream servers just yet, but of course I know some developers are using MySQL 5 on their own test servers.

A quick note, whilst updating the 204up patch the file db-backup.php was accidently removed from the administration folder. This has been corrected. It does not affect the sourceforge download.