Critical update - v6.00.303
Posted by Falk on 01/11/2006

---

Following the recent attack on a number of PHPFusion sites I have been looking for a possible exploit. Thanks to Jangus, we believe a user has been able to steal the site admins cookie by uploading avatars with malicious filenames. Having checked our avatar files I discovered a number of hacked images. Annoyingly these files cannot be deleted via ftp.

All admins are advised to check the folder images/avatars for any strange filenames. You should contact your host and ask them to remove any affected files from the avatars folder. To combat this exploit, the following files have been updated: includes/update_profile_include.php and administration/updateuser.php. You should also change your password to be on the safe side. Existing v6.00.301/302 users can update using 6-00-303up.zip, simply upload the files and click upgrade under system admin. The sourceforge packages have been updated to include this critical fix.

Update: Thanks to skarecrow for confirming this serious exploit.

Download PHPFusion 6.00.303 Update for v6.00.301/302 (7Kb).