[Update 02/07/2006] : Hackers are now targetting photo submissions using the exploit explained below. I neglected to add the fix to submit.php as an oversight. If you have updated to 6.01.3 already please upload submit.php from the updated 6.01.3 Update pack. If you have not yet updated to v6.01.3 please do as soon as possible.
An image or not an image? A critical bug fix in the form of v6.01.3 is now available for immediate download. The fix prevents the uploading of malformed images including avatars and forum image attachments. The malformed image contains hidden javascript which if viewed directly executes a cookie stealer thus compromising the super admin account. Avatar and forum image attachments are now scanned when they are uploaded, if any malicious code is detected the image will be rejected.
Existing v6.01.2 users can download the file '6.01.3 Update for v6.01.2' and simply upload the inluded files and click upgrade under System Admin. For those of you who have not yet upgraded, the full sourceforge package has been updated.
