Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

Admin Password Reset Malfunction Print

Recent events has made us aware of a malfunction of the Admin Password Reset page in the Administration Panel of PHP-Fusion v7.02. Given the right conditions this malfunction could enable a hacker to gain access to those accounts which have had their password reset using the Admin Password Reset page.

Affected PHP-Fusion versions: All PHP-Fusion v7.02.xx.

Details of the malfunction:

The malfunction was caused by improper implementation of the PasswordAuth class (/includes/classes/PasswordAuth.class.php) which handles login and admin passwords for all users in PHP-Fusion. The malfunction resulted in 1 out of 10 reset admins would have an empty login password which enabled the hacker to access the account using a random password of his or hers choosing.

Our recommandation:

Until PHP-Fusion v7.02.03 is release we discourage all use of the Admin Password Reset page. It is however not possible to exploit this problem without first using the Admin Password Reset. If you have used this we encourage you to change your passwords manually.

More information will continuously be available on the Development Site as well as patched files. In the mean time you can send your questions directly to Hans Kristian Flaatten, Development Team Leader.

Admin Password Reset Malfunction