Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Critical update - v6.00.307

Critical update - v6.00.307
A new exploit has been revealed by rgod. It allows php files to be uploaded as avatars by allowing multiple file extensions. I have addressed this issue and have released updates for v6.00.305 and v6.00.306. We also have received information relating to locale file inclusion, but this is more down to 3rd party code. Please Read More for details.

Existing v6.00.305/6 users can download the file '6.00.307 update for v6.00.305/6'. If you are using an earlier 6.00.3 version ensure you upgrade to v6.00.305 before applying this update. Simply upload the inluded files and click upgrade under System Admin. The Sourceforge packages have also been updated as usual. Click Read more for manual update details.

Download PHPFusion 6.00.307 Update for v6.00.305 (13Kb).
Download PHPFusion 6.00.307 Update for v6.00.306 (3Kb).

Inclusion files (particularly infusion panels and files) are open to an exploit if they include calls to locale files. Core files are protected against this by using the following:

if (!defined("IN_FUSION")) { header("Location: ../../index.php"); exit; }




It's vitally important that 3rd party developers ensure inclusion files cannot execute on their own and therefore should use the both line directly after the opening
Falk May 08 2006 28,755