News: Security - Official Home of PHP-Fusion

Sign In

Navigation

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

Admin Password Reset Malfunction

Security

Admin Password Reset Malfunction

Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHP-Fusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their...

Most Recent News Most Commented News

Admin Password Reset Malfunction

Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHP-Fusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their...

Update on weekends downtime

This is just to let the community at large know about why the site was down over the weekend. From our preliminary investigations, there appears to be an issue with the admin reset facility. Our Dev team are currently verifying the problem and are working...

PHP-Fusion v6.01.19 upgrade for v6.01.18

We have just been informed about a very serious MySQL injections in the latest version of PHP-Fusion v6, PHP-Fusion v7 is perfectly safe and this injection do not harm any sites running PHP-Fusion v7 only those still using PHP-Fusion v6. The new package...

New spambot attack on PHP-Fusion v6 sites

During the last week is has become clear that there is a new wave of spambots registering on PHP-Fusion v6 sites. Especially sites that do not have member activation by administrators enabled may suffer from severe spamming in comments for news, photo's,...

PHP-Fusion v7.00.05 upgrade for v7.00.4

It's with pleasure that we announce the present upgrade package for PHP-Fusion v7. This package includes two minor vulnerabilities and a whole bunch of bug fixes and smaller improvements. Most bug fixes were already available through the SVN and, indeed,...

Security update for PHP-Fusion 7.00.3 and 6.01.17

Another XSS vulnerability in messages.php has been reported and fixed. PHP-Fusion 7.00.4 Update - for 7.00.3 only (7Kb). PHP-Fusion 6.01.18 Update - for 6.01.17 only (6Kb). The full download pacakages on SourceForge have also been updated. Thanks...

Security update for PHP-Fusion 7.00.2 & 6.01.16

An exploit in submit.php was reported just before our recent downtime. It only affects servers with magic quotes disabled so risk is minimal. As always we have prepared an update which addresses the issue. The SVN and full download package have also been...

Themes Site - Offline | Update: Online

Due to detected malicious hacking attempts directed at the themes site it will remain offline until further investigation can be completed. We thank you for your patience while we investigate! To calm everyone, this is not a PHP-Fusion flaw but the remains...

PHP-Fusion v6.01.16 - as promised...

For those of you who did not update to v7 yet, a SQL Injection vulnerability patch is available for v6.01.15. As usual - if you are running an earlier version of 6.01, you need to apply the previous updates before utilizing this patch. However, please...

Security update for PHP-Fusion 7.00.1

We are happy to announce that the exploit in messages.php that was reported earlier today is now fixed. Also updated is search.php to cure a few niggles, but that was nothing serious. An update for v6 will follow soon. The SVN and full download...

Exploit in Private Message System reported

Today a exploit was reported in messages.php, the main file responsible for the Private Message System. It is been brought to attention of the developers and they will release a patch as soon as possible. If you want to be certain that your site will...

PHP-Fusion v6 - Mod Vulnerability Patch

The PHP-Fusion version 6 vulnerability was officially linked to an Advanced Search System modification from mFusion developed by Wooya. You can download a patch by PMM at the following link ( http://www.phpfusion-mods.com/ ) or you can download a patch...

Once more: Update your site a.s.a.p.

Please be advised that the person(s) responsible for attacking the PHP-Fusion sites through the search vulnerability is still active, even though a fix is made available. The raw access logs from my own site, even though upgraded to v7.00.1, show five...

PHP-Fusion v6 Vulnerability Information

Hello all, A update on our efforts to find the issue with v6. Why it has taken us awhile to track it down is because the hack is targeted towards search.php as well in v6. However the affected regions in v7 are not in v6 unless you are using the Advanced...

Critical Security update for PHP-Fusion 7

Ok folks, as you know a security issue was reported yesterday. I and the dev team have been working on the issue and a fix is now available for v7. We have yet to discover v6's flaw at this time but we believe it may be a non core infusion. Anyway,...