Files Updated: I've discovered two potential problems in infusions -> shoutbox_panel -> shoutbox_archive.php and the new news.php script. For some reason I neglected to sanitise the $rowstart variable, thats what you get for doing too much work! I've been notified about 3 exploits, 2 discovered by Yichen Xie and another reported by Secunia. Yichen Xie has discovered an exploit in lostpassword.php which allows a registered user to gain super admin access by minipulating the url. Yichen has also found that users can delete all messages again by minipulating the url. Finally, Secunia has informed us of an exploit in submitted news/articles due improperly sanitised input. I'm pleased to say that I have addressed all of these issues and have released an immediate update. All v6.00.2 users are strongly advised to update ASAP. The sourceforge package has also been updated. Existing users can update your system by uploading the contents of the file 6-00-205up zip to your server, then click Upgrade under System Admin. If you prefer to add the fixes manually please click Readmore for instructions. Download v6.00.205 update (26Kb).

Following a Secunia advisory (PHPFusion "msg_send" SQL Injection Vulnerability) I have released an updated messages.php script for existing PHPFusion v6.00.1xx setups. Input passed to the "msg_send" parameter in "messages.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The sourceforge package has been updated to include the above fix. Download Messages Security Patch (10Kb). Updated The fix did not account for the $msg_send variable being blank therefore preventing the use of the write new message button. This has now been rectified. Sorry for any inconvenience caused.

Another XSS exploit has been discovered that allows a malicious user to steal your cookie. Thankfully it was rather easy to fix, thanks to the help of CrappoMan and me. The fix is available as a separate patch (6-00-108up.zip) and has been added to the sourceforge files. Patch 6-00-108 upgrades both version 6.00.106 or 6.00.107. If you wish to update manually please click read more for details. Thanks to ratboy and pacifico for their information. This patch also contains some more corrections in messages.php following a security advisory from gnucitizen. Download 6-00-108.zip 11Kb. Update: There was a small mistake in maincore.php and messages.php in the update package. It has been corrected, please re-download and re-apply the package or fix the problem manually as instructed in the comments of this news item.

I have been alerted to some sql injection exploits in PHPFusion's private message system. The problem is that certain variables are not sanitised (don't blame me I didn't create it!). I've fixed it now, so it's all nicely secure now. The full package has been updated to include the fix. Existing users can grab the messages patch from the downloads area.

The recent img bbcode patchfixed one problem but it is still exploitable under certain conditions. I have been working on a long term solution and have created a more reliable fix. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. If you prefer to update the code yourself click Read More for instructions.

Two security flaws have recently been discovered in the bb code parsing by two of our users. Grindordie found that a user could virtually deface areas of the site that utilise the [color] tags. While this does not cause any harm it can be rather annoying. EasyEx's discovery is quite a troublesome one, an attacker can potentially delete items from your site using the [img] tags without anyone knowing. As usual I have produced the required fixes. The Sourceforge files have been updated, existing users can download the new maincore.php file from the downloads area. Updated I've refined the code and updated the files. If you prefer to update the code yourself click Read More for instructions. Update 2 The original [img] bb code fix does not quite cure the problem, we have now come up with a better solution. The sourceforge and update files have been updated. Click read more to see the new code.

As you know a flaw was discovered recently which allows a malicious user to grab any db backup file created by PHPFusion. I have created a temporary solution whereby a random 8-character hash is added to the filename which should make it practically impossible to guess the filename. This is only temporary solution whilst the dev team come up with a long term solution. This fix has been added to the full download over at Sourceforge. Existing users can download the patched db-backup file from the Downloads area.

While I was away an xss exploit was uncovered in the news/article submission functions. The code I had produced to prevent the exploit was not quite right. This problem has now been rectified. Existing PHPFusion users can update using the v6.00.106 update pack. If you want to add the fix manaully you simply need to replace the descript() function in your maincore.php. The sourceforge file has been updated. Update: It seems we forgot to include the prune forum function, the code was in place but there is no prune button in the forum settings admin page. I've added the required fixes as per Rayxen's advice. Sorry about that. To update, simply upload the files contained in the zip and then click Upgrade under System Admin in your Admin Panel. Download v6.00.106 update (8Kb).