User Settings SQL Injection Vulnerability - glFusion v1.1.3
Another exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack in the usersettings.php to compromise a user's password hash and masquerade (automatically login) as that user (including Admin accounts). This exploit could be adapted to work on glFusion as well.
Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.
This fix should only be applied to glFusion v1.1.3.
What's Related