As you can see the v5.02 dev log has been replaced with v6's dev log. Work is progressing well and our goal to have a release ready for the end of May is on course. As work is on-going some items may be subject to change. Again, we understand everyones frustration at not being able to download PHPFusion at this time. Please dont ask for any downloads, when it is available we will let you all know. I appreciate your patience, and remember, you do have other options

Hey all, good to be back. We are all working hard to get PHPFusion back in general distribution. We expect our rewritings to take a good month, but we will get there. We are redesigning the admin panel, this may be rebadged as CMS Management, but nothing is concrete yet. We have established a crew, not all are coders. Official crew Me (Digitanium), CrappoMan, evit, Janmol, KEFF, Rayxen, Shedrock & Sheldon. Beta Crew Above plus: helmuth, Sascha, ycl6, pRzemo, metaxy, SebaZ, sonar, ww.old & zszywak. We intend to maintain as much backward compatability with v5.01, but a few things will no doubts be changing which will have some impact. We will be providing complete help on all sites that need to update, so don't worry too much. That's all for now. Cheers.

Polls open to guests has been a much requested addition to PHPFusion. I'm pleased to announce the release of the IP Polls Infusion. It works in very much the same way as the built in system, only it uses the users IP address to log their vote. Obviously this method is far from fool proof because IP's in Europe tend to be dynamic rather than static. I'm sure you'll find it useful, and further improvements can and probably will be made. You can grab this Infusion from the downloads area [here].

As you can see the development log for PHPFusion v5.02 is starting to grow. I'm currently in the process of improving the fusion_core.php to tighten up and optimise the backend, the recent security patches are doing their job, but they are being optimised to reduce the hit on performance. The changes to the core will be backward compatible, so all mods & infusions will be ok. I am making every effort to add those most requested new features, but remember that I'm still abiding by my 'keep it simple' policy. The last thing I want is to turn PHPFusion into a bloated CMS, so only essential features will be considered. v5.02 will maintain the steady improvement. As yet, there is no release date, but it will certainly be more than a month or so.

As you may be aware a patch was recently applied to sanitise ubb code preventing javascript from being executed if in ascii format. Though this patch has been successful in eliminating such exploits, it does not acount for ascii code without a trailing semi-colon. Existing users are advised to update their fusion_core.php from the service pack. The sourceforge files have been updated so new users do not need to worry about this fix. [Updated] - Click Read More if you want to update your fusion_core.php manually.

A few sites have been encountering problems with logging in following the recent login vulnerability patch. I've identified that the preg_match line is producing false results causing valid logins to fail. This line has been dropped but the stripinput function should be ample enough to prevent any problems. So the three lines in fusion_core.php directly after: if (isset($_POST['login'])) { Are now as follows: $user_name = stripinput($_POST['user_name']); $user_pass = md5($_POST['user_pass']); $result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='$user_name' and user_password='$user_pass'"); I've updated the service pack and sourceforge package to include this alteration. Thanks.

Pi3cH has reported a cross-site-scripting vulnerability. PHPFusion does not properly validate user-supplied input passed by the log-in form in 'user_info_panel.php'. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHPFusion software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. It's believed this is related to the new login system I plan to implement officially in v5.02, but have made available as a mod for v5.01. The details are not exact so I have added a security fix to v5.01 to close this vulnerability. I know this is must be annoying for everyone, especially as this is the 3rd security issue inside a month. You must ensure that you update the file fusion_core.php, you can get the very latest file from the service pack which is available from the downloads area. The sourceforge files have also been updated. If you prefer to update manually please click Read More for details. Thanks to Pi3cH at PersianHacker.NET for the heads up.

Turkish language files are now available for PHPFusion 5.01 courtesy of BaRzO. There is now also a dedicated Turkish support site over at www.phpfusion-tr.com. You can get the files from the downloads page.

Following up from the previous exploit, I have added some more lines to protect the submission system from script & iframe exploits. The exploit only affects elements which allow html elements to be posted. This is easily rectified by adding these two lines to the descript() function in fusion_core.php after line 353 approx: $text1[12] = "#script#si"; $text2[12] = 'script'; $text1[13] = "#iframe#si"; $text2[13] = 'iframe'; That's all there is to it. Another stride towards making PHPFusion as secure as possible. You can get the latest fusion_core.php file from the service pack. The Sourceforge download has been updated to include this fix. Thanks.

Simplified and Traditional Chinese language files are now available for PHPFusion 5.01 courtesy of Mac Lin. You can get the files from the downloads page.

This is getting rather tedious, it seems every hacker is hell bent on throwing a spanner in the works lately, and I'm starting to grow tired of it. This one is barely worth mentioning, but hey, who am I to deny a hacker's right to stardom, right Grindordie? The exploit affects news/article submissions, the user can use the javascript alert function to display bogus messages such as, "ha ha you've been hacked". Ok, bad example, but you get the idea. Anyway, we can patch this by filtering out alert by adding this line to fusion_core.php: Line 352: $text1[11] = "#alert#si"; $text2[11] = 'alert'; Simple enough, you can apply the fix yourself or grab the updated core from the service pack. The Sourceforge download has been updated as usual.

Following up from the recent magic quotes fix, the custom pages & panel editor have been acting strange with slashes disappearing when magic quotes gpc is on. I've corrected this issue and have updated both the service pack and Sourceforge downloads. Simply update your custom_page.php & panel_editor.php admin files with the fixed ones from the 5.01 service pack. I sincerely apologise for this mistake and any inconvenience caused. Time to take a break I think.

FireSt0rm has today alerted me to an exploit in PHPFusion 5.01's javascript sanitising code which can be bypassed using ascii characters. This can be fixed by updating your fusion_core.php from the latest service pack. You are strongly advised to apply this update. You can update manually by adding the following lines to fusion_core.php: Line 321: $message = preg_replace_callback("/&#([0-9]{1,3});/", create_function('$matches', 'return chr($matches[1]);'), $message); Line 340: $message = preg_replace_callback("/&#([0-9]{1,3});/", create_function('$matches', 'return chr($matches[1]);'), $message); The Sourceforge files have been updated. Download PHPFusion 5.01 Service Pack (123Kb).

Confused by the addition of the two new core functions addslash() and stripslash(). These functions are not intended to fully replace php's addslashes() or stripslashes(). stripslash() checks if magic_quotes_gpc is enabled before actually removing any escape slashes, whilst addslash() adds the correct amount of escape slashes which is ideal prior to inserting text into the database. On the other hand stripslashes() is still used whenever we recall data from the database which contains quotes or single quotes, e.g. HTML, PHP, or unsanitised text such as news. If you store data which has been sanitised using PHPFusion's stripinput() function then there is no need to stripslashes as quotes and single quotes are replaced with character codes. Here's the typical use of stripslashes(), stripslash() & addslash() in the news.pho admin panel Preview news: stripslash($_POST['news_body']); Save News: addslash($_POST['news_body']); Fetch news from db: stripslashes($data['news_body']);

I've updated the service pack and Sourceforge which include a few alterations to fusion_core.php (Cookies section) and a corrected fusion_forum/viewthread.php which had a missing closetable() line. I've released 2 new themes as well, Darken, a rather dark theme, and Simplicity (the current theme in use on this site). You can grab them from the downloads area. Enjoy.