A new exploit has been revealed by rgod. It allows php files to be uploaded as avatars by allowing multiple file extensions. I have addressed this issue and have released updates for v6.00.305 and v6.00.306. We also have received information relating to locale file inclusion, but this is more down to 3rd party code. Please Read More for details.
Existing v6.00.305/6 users can download the file '6.00.307 update for v6.00.305/6'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.305 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Click Read more for manual update details.
Inclusion files (particularly infusion panels and files) are open to an exploit if they include calls to locale files. Core files are protected against this by using the following:
if (!defined("IN_FUSION")) { header("Location: ../../index.php"); exit; }
It's vitally important that 3rd party developers ensure inclusion files cannot execute on their own and therefore should use the both line directly after the opening