Possible SQL Injection Vulnerability - glFusion v1.1.3

An exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack to compromise a user's password hash and masquerade (automatically login) as an admin user.  This exploit could be adapted to work on glFusion as well.  Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.

We have updated 3 key files in glFusion to help prevent SQL injection exploits:

private/system/lib-security.php

private/system/lib-sessions.php

private/system/lib-webservices.php

It is recommended that you update your site as soon as possible with these updates.

NOTE: This exploit takes advantage of the Remote Webservices featue of glFusion which is enabled by default.  You can turn off webservices by going into the Online Configuration System - Miscellaneous - set Disable Webservices to true.  This will prevent this specific exploit from succeeding.

These fixes should only be applied to glFusion v1.1.3.