Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Vulnerability in Private Messages

Vulnerability in Private Messages
Following a Secunia advisory (PHPFusion "msg_send" SQL Injection Vulnerability) I have released an updated messages.php script for existing PHPFusion v6.00.1xx setups.

Input passed to the "msg_send" parameter in "messages.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The sourceforge package has been updated to include the above fix.
Download Messages Security Patch (10Kb).

Updated The fix did not account for the $msg_send variable being blank therefore preventing the use of the write new message button. This has now been rectified. Sorry for any inconvenience caused.

Falk September 30 2005 23,914